Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Analysis ID:	1482798
MD5:	73457bb8a567efa5f99f7c4962ce1393
SHA1:	a6924039c86ccdaa16d2221da09d713de8cf9996
SHA256:	7942971e2a6b2af6bf4b1d0cc397fa9d67c2f3a90bf5cc241ff3a3ed362f5d67
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe" MD5: 73457BB8A567EFA5F99F7C4962CE1393)

powershell.exe (PID: 7492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 7500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ef23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x179a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x147df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe PID: 7320	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ef23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x179a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e123:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16ba2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, ParentProcessId: 7320, ParentProcessName: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", ProcessId: 7492, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, ParentProcessId: 7320, ParentProcessName: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe", ProcessId: 7492, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T07:27:57.164403+0200
SID:	2022930
Source Port:	443
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T07:27:19.099736+0200
SID:	2022930
Source Port:	443
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 4x nop then jmp 07E77AEBh		0_2_07E77F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 4x nop then jmp 07E77AEBh		0_2_07E7803D

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1737300139.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, AspMvcViewLocationFormatAttribute.cs

Large array initialization: : array initializer size 629909

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042C1F3 NtClose,	3_2_0042C1F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2B60 NtClose,LdrInitializeThunk,	3_2_019B2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_019B2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_019B2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B35C0 NtCreateMutant,LdrInitializeThunk,	3_2_019B35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B4340 NtSetContextThread,	3_2_019B4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B4650 NtSuspendThread,	3_2_019B4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2B80 NtQueryInformationFile,	3_2_019B2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2BA0 NtEnumerateValueKey,	3_2_019B2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2BF0 NtAllocateVirtualMemory,	3_2_019B2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2BE0 NtQueryValueKey,	3_2_019B2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2AB0 NtWaitForSingleObject,	3_2_019B2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2AD0 NtReadFile,	3_2_019B2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2AF0 NtWriteFile,	3_2_019B2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2DB0 NtEnumerateKey,	3_2_019B2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2DD0 NtDelayExecution,	3_2_019B2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2D10 NtMapViewOfSection,	3_2_019B2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2D00 NtSetInformationFile,	3_2_019B2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2D30 NtUnmapViewOfSection,	3_2_019B2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2CA0 NtQueryInformationToken,	3_2_019B2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2CC0 NtQueryVirtualMemory,	3_2_019B2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2CF0 NtOpenProcess,	3_2_019B2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2C00 NtQueryInformationProcess,	3_2_019B2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2C60 NtCreateKey,	3_2_019B2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2F90 NtProtectVirtualMemory,	3_2_019B2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2FB0 NtResumeThread,	3_2_019B2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2FA0 NtQuerySection,	3_2_019B2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2FE0 NtCreateFile,	3_2_019B2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2F30 NtCreateSection,	3_2_019B2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2F60 NtCreateProcessEx,	3_2_019B2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2E80 NtReadVirtualMemory,	3_2_019B2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2EA0 NtAdjustPrivilegesToken,	3_2_019B2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2EE0 NtQueueApcThread,	3_2_019B2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2E30 NtWriteVirtualMemory,	3_2_019B2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B3090 NtSetValueKey,	3_2_019B3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B3010 NtOpenDirectoryObject,	3_2_019B3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B39B0 NtGetContextThread,	3_2_019B39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B3D10 NtOpenProcessToken,	3_2_019B3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B3D70 NtOpenThread,	3_2_019B3D70

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_05F54420	0_2_05F54420
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_05F53558	0_2_05F53558
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_05F5B040	0_2_05F5B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_05F5B030	0_2_05F5B030
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E779B9	0_2_07E779B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E70040	0_2_07E70040
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E7A788	0_2_07E7A788
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E74798	0_2_07E74798
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E73488	0_2_07E73488
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E73498	0_2_07E73498
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E7A42C	0_2_07E7A42C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E72C28	0_2_07E72C28
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E72C08	0_2_07E72C08
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E751F0	0_2_07E751F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E73060	0_2_07E73060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E79879	0_2_07E79879
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E73050	0_2_07E73050
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_07E70006	0_2_07E70006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042E813	3_2_0042E813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410163	3_2_00410163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401100	3_2_00401100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E1E3	3_2_0040E1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E18A	3_2_0040E18A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416D13	3_2_00416D13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402520	3_2_00402520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040FF43	3_2_0040FF43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F50	3_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A341A2	3_2_01A341A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A401AA	3_2_01A401AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A381CC	3_2_01A381CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970100	3_2_01970100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1A118	3_2_01A1A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A08158	3_2_01A08158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A403E6	3_2_01A403E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E3F0	3_2_0198E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3A352	3_2_01A3A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A002C0	3_2_01A002C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A40591	3_2_01A40591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2E4F6	3_2_01A2E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A24420	3_2_01A24420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A32446	3_2_01A32446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197C7C0	3_2_0197C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A4750	3_2_019A4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199C6E0	3_2_0199C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A4A9A6	3_2_01A4A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01996962	3_2_01996962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019668B8	3_2_019668B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE8F0	3_2_019AE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198A840	3_2_0198A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01982840	3_2_01982840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A36BD7	3_2_01A36BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3AB40	3_2_01A3AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01998DBF	3_2_01998DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197ADE0	3_2_0197ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198AD00	3_2_0198AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1CD1F	3_2_01A1CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20CB5	3_2_01A20CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970CF2	3_2_01970CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980C00	3_2_01980C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FEFA0	3_2_019FEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01972FC8	3_2_01972FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A22F30	3_2_01A22F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A0F30	3_2_019A0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C2F28	3_2_019C2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F4F40	3_2_019F4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992E90	3_2_01992E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3CE93	3_2_01A3CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3EEDB	3_2_01A3EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3EE26	3_2_01A3EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980E59	3_2_01980E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198B1B0	3_2_0198B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A4B16B	3_2_01A4B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196F172	3_2_0196F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B516C	3_2_019B516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3F0E0	3_2_01A3F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A370E9	3_2_01A370E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019870C0	3_2_019870C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2F0CC	3_2_01A2F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C739A	3_2_019C739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3132D	3_2_01A3132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196D34C	3_2_0196D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019852A0	3_2_019852A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A212ED	3_2_01A212ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199B2C0	3_2_0199B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1D5B0	3_2_01A1D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A495C3	3_2_01A495C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A37571	3_2_01A37571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3F43F	3_2_01A3F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01971460	3_2_01971460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3F7B0	3_2_01A3F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A316CC	3_2_01A316CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C5630	3_2_019C5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A15910	3_2_01A15910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01989950	3_2_01989950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199B950	3_2_0199B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019838E0	3_2_019838E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019ED800	3_2_019ED800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199FB80	3_2_0199FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019BDBF9	3_2_019BDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F5BF0	3_2_019F5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3FB76	3_2_01A3FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A21AA3	3_2_01A21AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1DAAC	3_2_01A1DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C5AA0	3_2_019C5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2DAC6	3_2_01A2DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A37A46	3_2_01A37A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3FA49	3_2_01A3FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F3A6C	3_2_019F3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199FDC0	3_2_0199FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A37D73	3_2_01A37D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01983D40	3_2_01983D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A31D5A	3_2_01A31D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3FCF2	3_2_01A3FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F9C32	3_2_019F9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01981F92	3_2_01981F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3FFB1	3_2_01A3FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01943FD5	3_2_01943FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01943FD2	3_2_01943FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3FF09	3_2_01A3FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01989EB0	3_2_01989EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0196B970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019C7E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019B5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019FF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019EEA12 appears 86 times

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1745435507.0000000007FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1738423726.000000000457E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000000.1697408380.000000000106A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEcHV.exe2 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1736092150.000000000156E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1737300139.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1743162307.0000000007A10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Binary or memory string: OriginalFilenameEcHV.exe2 vs SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, lOsHXAsovXZfc94OB5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742221983.0000000005CFC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: EITC Tempus Sans is a Trademark of International Typeface Corporation.slnt

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/6@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Mutant created: \Sessions\1\BaseNamedObjects\EaaLEWdZQ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wco4vy5.omd.ps1

Jump to behavior

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, lOsHXAsovXZfc94OB5.cs	.Net Code: vVjubMZxL1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.33cdd5c.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.33cdd5c.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7a10000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7a10000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, lOsHXAsovXZfc94OB5.cs	.Net Code: vVjubMZxL1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, lOsHXAsovXZfc94OB5.cs	.Net Code: vVjubMZxL1 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Code function: 0_2_05F50B2C pushad ; ret	0_2_05F50B2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406075 pushfd ; iretd	3_2_00406076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042E093 pushad ; retf	3_2_0042E0AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004031C0 push eax; ret	3_2_004031C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041198D push ss; retf	3_2_00411997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418AC1 push ecx; iretd	3_2_00418AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00411AC0 push ebx; ret	3_2_00411AC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004082CC push esp; iretd	3_2_004082CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004083F8 push edi; iretd	3_2_0040840C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CA1 push 00000020h; iretd	3_2_00418CA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418DAB push 51EF2DE3h; retf	3_2_00418DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F45 push 0000004Dh; ret	3_2_00402F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401729 push ecx; iretd	3_2_0040172D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0194225F pushad ; ret	3_2_019427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019427FA pushad ; ret	3_2_019427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019709AD push ecx; mov dword ptr [esp], ecx	3_2_019709B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0194283D push eax; iretd	3_2_01942858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01941368 push eax; iretd	3_2_01941369

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Static PE information: section name: .text entropy: 7.865847930042044

Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	High entropy of concatenated method names: 'jnXw0T1meY', 'tmrw9IJxid', 'wo8w1owiBy', 'VkuwtkoIfg', 'hRZwRTyewq', 'apIwNAFHvT', 'SEowe4QvTO', 'vPmwCR55GL', 'xT9wQbfw9w', 'dl7wOrl9J1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, MA4fwJjxpQtUWpwAG7.cs	High entropy of concatenated method names: 'bXer8Ak3HT', 'kubrsE1Mng', 'ToString', 'dwPr3TXDSN', 'zEurwhCbp2', 'KQVrnGPJ3P', 'BGsr236y3k', 'pGKrXAIeVQ', 'CJYrBDYxpE', 'dZLrapLjTj'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, Mti1Tar8aHQgpMfdfx.cs	High entropy of concatenated method names: 'CUPBZSPSjd', 'sbLBdEdJ7V', 'qGfBbe1q1V', 'TD4BKpBaao', 'mgLBmymKrD', 'UPCBYoKcn8', 'GHQBg0aCwm', 'fZeBTxyhBu', 'jn4B6kmmZj', 'QKhBhscXaL'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, cxjq8XAX0qtiRVq2yE.cs	High entropy of concatenated method names: 'mK8xTajwxh', 'iWVx62Xbtx', 'lsNx7knWHb', 'RCNxAguPHs', 'aV6xFbtDDT', 'mtexL4ivcF', 'e6UxGuK2UD', 'fg4xpQda5C', 'WX4xvfpa43', 'GSXxo3fmmE'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, Flke5KNiPuDujaxXIy.cs	High entropy of concatenated method names: 'PT4XUWlwWK', 'rkrXwBthU9', 'JCUX2D4ZSj', 'hVlXBJaaq0', 'FJaXaTR9ql', 'Gua2R99gnw', 'R9c2NIfPT8', 'CBC2eyiwbN', 'u8t2CqXDNp', 'qhu2QLGoBy'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, OkjXWLz7Wrhdbhf0p6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xj3WxehWTa', 'I8KWiPHqAV', 'r2QWDBU2TK', 'sv9WrR53Sh', 'iIPWIaZqV1', 'Ps5WWsRcAe', 'CesWSs0JlO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, Hb2mLSpRPxj2MrDSA2.cs	High entropy of concatenated method names: 'jXWWqKKokS', 'UW5WMojc6H', 'F0sWucX0Tp', 'alQW3b7OUQ', 'aUlWw1PNSB', 'zMhW21tJHt', 'YuOWXyXb7Z', 'Y4KIe1mSjF', 'ATSICXK7Yg', 'nHeIQHh9O1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, WEjhlUYfc9VNS4DJnO.cs	High entropy of concatenated method names: 'Dispose', 'l1fqQMjoKS', 'GpyfASftIB', 'EXkccM1RDQ', 'tM8qOnH0LW', 'zNRqzn3Dft', 'ProcessDialogKey', 'tshfy6nWYW', 'DQwfqwKUce', 'C6Fffwysd2'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, IIqGQ2xop5lTVf7YeR.cs	High entropy of concatenated method names: 'ttvnKPS7lF', 'Ly6nYfrPe3', 'DRRnTpmDSi', 'M6Xn6mDtQe', 'm7gniS5pWR', 'kLSnDGm1vv', 'US5nrtdud2', 'b51nIrXHGD', 'YHInWcg2Vj', 'mJknSPWrvv'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, jmw9js1ffRhMZkCR7uZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SPSS0ggCeR', 'XdyS9wlEPp', 'kUPS1N8ffI', 'aLRStJNmbl', 'Tx4SRkOZQi', 'uIgSNmoQi2', 'ufRSeqkKpx'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, XkB4artdCQHBJUoEX9.cs	High entropy of concatenated method names: 'Mpk2mX4wMh', 'omF2gS607v', 'Op9nPciut4', 'Ct3nFvSfWt', 'ks7nLYYJyW', 'wJInHMc7L7', 'IpbnG8fZI7', 'kMynpUm3jt', 'l71nlonlJQ', 'qH5nv4S2BP'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, MoejmB9uWWBnkrZFVZ.cs	High entropy of concatenated method names: 'plmI35fGhG', 'BfbIwf54ep', 'jc1In5YgnB', 'a4kI2NT9Kw', 'g0LIXjyHw2', 'laDIBR9uCK', 'LKUIa2Evy1', 'cvpIjDTUAy', 'wZuI8ITXwx', 'fDsIsPkPlm'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, WZq6cY1H5ntXmnCkDcV.cs	High entropy of concatenated method names: 'U8tSZU6llu', 'NZOSdWRsJt', 'CFGSbiw8ar', 'FRpkUKBzs6ke3e4yZsb', 'PtHQpgJ4AP5nc3hMR60', 'JLyjwLJbcAMHG6upYU7', 'QB02xfJneRiQRDQdKK5'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, GdVpNdHph65Xr3MQNJ.cs	High entropy of concatenated method names: 'CIOb1tuwt', 'zCmKNueKH', 'Q8CYN0H4H', 'd7ngXayTQ', 'Grn6EpXyK', 'QwEhrEywD', 'HCvgenGjCxLNupbv65', 'SZLaJHgtKYjYa9GdMJ', 'focITw3yq', 'BAcSL1APC'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, mg30r0LvvjO4WBi4Lq.cs	High entropy of concatenated method names: 'ToString', 'EUyDow5BVR', 'h8uDA9It9u', 'QgRDPJAHEH', 'c1nDFZ1OL1', 'NbvDLrP91a', 'CEDDHNUGnf', 'hOqDGuKd1V', 'BkHDpwEMx1', 'r5SDlTQF7u'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, sjFY1MeLbRxNIpof7F.cs	High entropy of concatenated method names: 'jigqBygbCY', 'tDhqaTgEcd', 'e1Qq8Gbl62', 'BauqsotPLY', 'iEYqibSLsi', 'iJWqD6IsUW', 'RVxmBlteOuB3LbryVq', 'uOG9mX8nWL8NtAnOXO', 'fr6qqx2D6J', 'UvrqMubBmA'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, Kgf4xNGn4VbYqvmk5H.cs	High entropy of concatenated method names: 'Q8CrC6P9o0', 'zJXrOrc8De', 'JI9Iy95l6s', 'aqbIqiokhx', 'xJXroCNBqB', 'wLKr4Hjje2', 'ig9rJcuvPa', 'vfTr0I77LI', 'j4kr9NsNHH', 'yn0r1XY54L'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, lOsHXAsovXZfc94OB5.cs	High entropy of concatenated method names: 'WktMU2cTbG', 'x5hM3yGQUM', 'gRpMwPZJe1', 'UPYMn1JRLN', 'LjlM2fgDtf', 'r2bMXgUbuY', 'Fr4MBT33D2', 'vBpMaqk9aq', 'ko9Mj8HQLZ', 'RyZM85rkTZ'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, LB6mXH10Ukg0a6Bg1Fb.cs	High entropy of concatenated method names: 'eZDWZyXd0D', 'LLPWd6yhiJ', 'z2uWb2hBwt', 'amAWKJoZMP', 'swnWmeVjEy', 'opGWY2eX1r', 'VdrWgRdSPU', 'zAMWThCyys', 'CN1W6qRsLr', 'K2QWhBSeYO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.47b3210.1.raw.unpack, OEUYs3ofI7bWQpg2kV.cs	High entropy of concatenated method names: 'G4oI7WkAoK', 'syeIA30dth', 'TuFIP7hPlF', 'rcdIFo7Hij', 'A5MI0jyQnJ', 'vchILcbcKO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	High entropy of concatenated method names: 'jnXw0T1meY', 'tmrw9IJxid', 'wo8w1owiBy', 'VkuwtkoIfg', 'hRZwRTyewq', 'apIwNAFHvT', 'SEowe4QvTO', 'vPmwCR55GL', 'xT9wQbfw9w', 'dl7wOrl9J1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, MA4fwJjxpQtUWpwAG7.cs	High entropy of concatenated method names: 'bXer8Ak3HT', 'kubrsE1Mng', 'ToString', 'dwPr3TXDSN', 'zEurwhCbp2', 'KQVrnGPJ3P', 'BGsr236y3k', 'pGKrXAIeVQ', 'CJYrBDYxpE', 'dZLrapLjTj'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, Mti1Tar8aHQgpMfdfx.cs	High entropy of concatenated method names: 'CUPBZSPSjd', 'sbLBdEdJ7V', 'qGfBbe1q1V', 'TD4BKpBaao', 'mgLBmymKrD', 'UPCBYoKcn8', 'GHQBg0aCwm', 'fZeBTxyhBu', 'jn4B6kmmZj', 'QKhBhscXaL'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, cxjq8XAX0qtiRVq2yE.cs	High entropy of concatenated method names: 'mK8xTajwxh', 'iWVx62Xbtx', 'lsNx7knWHb', 'RCNxAguPHs', 'aV6xFbtDDT', 'mtexL4ivcF', 'e6UxGuK2UD', 'fg4xpQda5C', 'WX4xvfpa43', 'GSXxo3fmmE'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, Flke5KNiPuDujaxXIy.cs	High entropy of concatenated method names: 'PT4XUWlwWK', 'rkrXwBthU9', 'JCUX2D4ZSj', 'hVlXBJaaq0', 'FJaXaTR9ql', 'Gua2R99gnw', 'R9c2NIfPT8', 'CBC2eyiwbN', 'u8t2CqXDNp', 'qhu2QLGoBy'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, OkjXWLz7Wrhdbhf0p6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xj3WxehWTa', 'I8KWiPHqAV', 'r2QWDBU2TK', 'sv9WrR53Sh', 'iIPWIaZqV1', 'Ps5WWsRcAe', 'CesWSs0JlO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, Hb2mLSpRPxj2MrDSA2.cs	High entropy of concatenated method names: 'jXWWqKKokS', 'UW5WMojc6H', 'F0sWucX0Tp', 'alQW3b7OUQ', 'aUlWw1PNSB', 'zMhW21tJHt', 'YuOWXyXb7Z', 'Y4KIe1mSjF', 'ATSICXK7Yg', 'nHeIQHh9O1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, WEjhlUYfc9VNS4DJnO.cs	High entropy of concatenated method names: 'Dispose', 'l1fqQMjoKS', 'GpyfASftIB', 'EXkccM1RDQ', 'tM8qOnH0LW', 'zNRqzn3Dft', 'ProcessDialogKey', 'tshfy6nWYW', 'DQwfqwKUce', 'C6Fffwysd2'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, IIqGQ2xop5lTVf7YeR.cs	High entropy of concatenated method names: 'ttvnKPS7lF', 'Ly6nYfrPe3', 'DRRnTpmDSi', 'M6Xn6mDtQe', 'm7gniS5pWR', 'kLSnDGm1vv', 'US5nrtdud2', 'b51nIrXHGD', 'YHInWcg2Vj', 'mJknSPWrvv'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, jmw9js1ffRhMZkCR7uZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SPSS0ggCeR', 'XdyS9wlEPp', 'kUPS1N8ffI', 'aLRStJNmbl', 'Tx4SRkOZQi', 'uIgSNmoQi2', 'ufRSeqkKpx'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, XkB4artdCQHBJUoEX9.cs	High entropy of concatenated method names: 'Mpk2mX4wMh', 'omF2gS607v', 'Op9nPciut4', 'Ct3nFvSfWt', 'ks7nLYYJyW', 'wJInHMc7L7', 'IpbnG8fZI7', 'kMynpUm3jt', 'l71nlonlJQ', 'qH5nv4S2BP'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, MoejmB9uWWBnkrZFVZ.cs	High entropy of concatenated method names: 'plmI35fGhG', 'BfbIwf54ep', 'jc1In5YgnB', 'a4kI2NT9Kw', 'g0LIXjyHw2', 'laDIBR9uCK', 'LKUIa2Evy1', 'cvpIjDTUAy', 'wZuI8ITXwx', 'fDsIsPkPlm'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, WZq6cY1H5ntXmnCkDcV.cs	High entropy of concatenated method names: 'U8tSZU6llu', 'NZOSdWRsJt', 'CFGSbiw8ar', 'FRpkUKBzs6ke3e4yZsb', 'PtHQpgJ4AP5nc3hMR60', 'JLyjwLJbcAMHG6upYU7', 'QB02xfJneRiQRDQdKK5'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, GdVpNdHph65Xr3MQNJ.cs	High entropy of concatenated method names: 'CIOb1tuwt', 'zCmKNueKH', 'Q8CYN0H4H', 'd7ngXayTQ', 'Grn6EpXyK', 'QwEhrEywD', 'HCvgenGjCxLNupbv65', 'SZLaJHgtKYjYa9GdMJ', 'focITw3yq', 'BAcSL1APC'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, mg30r0LvvjO4WBi4Lq.cs	High entropy of concatenated method names: 'ToString', 'EUyDow5BVR', 'h8uDA9It9u', 'QgRDPJAHEH', 'c1nDFZ1OL1', 'NbvDLrP91a', 'CEDDHNUGnf', 'hOqDGuKd1V', 'BkHDpwEMx1', 'r5SDlTQF7u'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, sjFY1MeLbRxNIpof7F.cs	High entropy of concatenated method names: 'jigqBygbCY', 'tDhqaTgEcd', 'e1Qq8Gbl62', 'BauqsotPLY', 'iEYqibSLsi', 'iJWqD6IsUW', 'RVxmBlteOuB3LbryVq', 'uOG9mX8nWL8NtAnOXO', 'fr6qqx2D6J', 'UvrqMubBmA'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, Kgf4xNGn4VbYqvmk5H.cs	High entropy of concatenated method names: 'Q8CrC6P9o0', 'zJXrOrc8De', 'JI9Iy95l6s', 'aqbIqiokhx', 'xJXroCNBqB', 'wLKr4Hjje2', 'ig9rJcuvPa', 'vfTr0I77LI', 'j4kr9NsNHH', 'yn0r1XY54L'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, lOsHXAsovXZfc94OB5.cs	High entropy of concatenated method names: 'WktMU2cTbG', 'x5hM3yGQUM', 'gRpMwPZJe1', 'UPYMn1JRLN', 'LjlM2fgDtf', 'r2bMXgUbuY', 'Fr4MBT33D2', 'vBpMaqk9aq', 'ko9Mj8HQLZ', 'RyZM85rkTZ'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, LB6mXH10Ukg0a6Bg1Fb.cs	High entropy of concatenated method names: 'eZDWZyXd0D', 'LLPWd6yhiJ', 'z2uWb2hBwt', 'amAWKJoZMP', 'swnWmeVjEy', 'opGWY2eX1r', 'VdrWgRdSPU', 'zAMWThCyys', 'CN1W6qRsLr', 'K2QWhBSeYO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.7fd0000.6.raw.unpack, OEUYs3ofI7bWQpg2kV.cs	High entropy of concatenated method names: 'G4oI7WkAoK', 'syeIA30dth', 'TuFIP7hPlF', 'rcdIFo7Hij', 'A5MI0jyQnJ', 'vchILcbcKO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, qd3nAG3jlfZH0Oy1Yi.cs	High entropy of concatenated method names: 'jnXw0T1meY', 'tmrw9IJxid', 'wo8w1owiBy', 'VkuwtkoIfg', 'hRZwRTyewq', 'apIwNAFHvT', 'SEowe4QvTO', 'vPmwCR55GL', 'xT9wQbfw9w', 'dl7wOrl9J1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, MA4fwJjxpQtUWpwAG7.cs	High entropy of concatenated method names: 'bXer8Ak3HT', 'kubrsE1Mng', 'ToString', 'dwPr3TXDSN', 'zEurwhCbp2', 'KQVrnGPJ3P', 'BGsr236y3k', 'pGKrXAIeVQ', 'CJYrBDYxpE', 'dZLrapLjTj'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, Mti1Tar8aHQgpMfdfx.cs	High entropy of concatenated method names: 'CUPBZSPSjd', 'sbLBdEdJ7V', 'qGfBbe1q1V', 'TD4BKpBaao', 'mgLBmymKrD', 'UPCBYoKcn8', 'GHQBg0aCwm', 'fZeBTxyhBu', 'jn4B6kmmZj', 'QKhBhscXaL'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, cxjq8XAX0qtiRVq2yE.cs	High entropy of concatenated method names: 'mK8xTajwxh', 'iWVx62Xbtx', 'lsNx7knWHb', 'RCNxAguPHs', 'aV6xFbtDDT', 'mtexL4ivcF', 'e6UxGuK2UD', 'fg4xpQda5C', 'WX4xvfpa43', 'GSXxo3fmmE'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, Flke5KNiPuDujaxXIy.cs	High entropy of concatenated method names: 'PT4XUWlwWK', 'rkrXwBthU9', 'JCUX2D4ZSj', 'hVlXBJaaq0', 'FJaXaTR9ql', 'Gua2R99gnw', 'R9c2NIfPT8', 'CBC2eyiwbN', 'u8t2CqXDNp', 'qhu2QLGoBy'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, OkjXWLz7Wrhdbhf0p6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xj3WxehWTa', 'I8KWiPHqAV', 'r2QWDBU2TK', 'sv9WrR53Sh', 'iIPWIaZqV1', 'Ps5WWsRcAe', 'CesWSs0JlO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, Hb2mLSpRPxj2MrDSA2.cs	High entropy of concatenated method names: 'jXWWqKKokS', 'UW5WMojc6H', 'F0sWucX0Tp', 'alQW3b7OUQ', 'aUlWw1PNSB', 'zMhW21tJHt', 'YuOWXyXb7Z', 'Y4KIe1mSjF', 'ATSICXK7Yg', 'nHeIQHh9O1'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, WEjhlUYfc9VNS4DJnO.cs	High entropy of concatenated method names: 'Dispose', 'l1fqQMjoKS', 'GpyfASftIB', 'EXkccM1RDQ', 'tM8qOnH0LW', 'zNRqzn3Dft', 'ProcessDialogKey', 'tshfy6nWYW', 'DQwfqwKUce', 'C6Fffwysd2'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, IIqGQ2xop5lTVf7YeR.cs	High entropy of concatenated method names: 'ttvnKPS7lF', 'Ly6nYfrPe3', 'DRRnTpmDSi', 'M6Xn6mDtQe', 'm7gniS5pWR', 'kLSnDGm1vv', 'US5nrtdud2', 'b51nIrXHGD', 'YHInWcg2Vj', 'mJknSPWrvv'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, jmw9js1ffRhMZkCR7uZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SPSS0ggCeR', 'XdyS9wlEPp', 'kUPS1N8ffI', 'aLRStJNmbl', 'Tx4SRkOZQi', 'uIgSNmoQi2', 'ufRSeqkKpx'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, XkB4artdCQHBJUoEX9.cs	High entropy of concatenated method names: 'Mpk2mX4wMh', 'omF2gS607v', 'Op9nPciut4', 'Ct3nFvSfWt', 'ks7nLYYJyW', 'wJInHMc7L7', 'IpbnG8fZI7', 'kMynpUm3jt', 'l71nlonlJQ', 'qH5nv4S2BP'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, MoejmB9uWWBnkrZFVZ.cs	High entropy of concatenated method names: 'plmI35fGhG', 'BfbIwf54ep', 'jc1In5YgnB', 'a4kI2NT9Kw', 'g0LIXjyHw2', 'laDIBR9uCK', 'LKUIa2Evy1', 'cvpIjDTUAy', 'wZuI8ITXwx', 'fDsIsPkPlm'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, WZq6cY1H5ntXmnCkDcV.cs	High entropy of concatenated method names: 'U8tSZU6llu', 'NZOSdWRsJt', 'CFGSbiw8ar', 'FRpkUKBzs6ke3e4yZsb', 'PtHQpgJ4AP5nc3hMR60', 'JLyjwLJbcAMHG6upYU7', 'QB02xfJneRiQRDQdKK5'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, GdVpNdHph65Xr3MQNJ.cs	High entropy of concatenated method names: 'CIOb1tuwt', 'zCmKNueKH', 'Q8CYN0H4H', 'd7ngXayTQ', 'Grn6EpXyK', 'QwEhrEywD', 'HCvgenGjCxLNupbv65', 'SZLaJHgtKYjYa9GdMJ', 'focITw3yq', 'BAcSL1APC'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, mg30r0LvvjO4WBi4Lq.cs	High entropy of concatenated method names: 'ToString', 'EUyDow5BVR', 'h8uDA9It9u', 'QgRDPJAHEH', 'c1nDFZ1OL1', 'NbvDLrP91a', 'CEDDHNUGnf', 'hOqDGuKd1V', 'BkHDpwEMx1', 'r5SDlTQF7u'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, sjFY1MeLbRxNIpof7F.cs	High entropy of concatenated method names: 'jigqBygbCY', 'tDhqaTgEcd', 'e1Qq8Gbl62', 'BauqsotPLY', 'iEYqibSLsi', 'iJWqD6IsUW', 'RVxmBlteOuB3LbryVq', 'uOG9mX8nWL8NtAnOXO', 'fr6qqx2D6J', 'UvrqMubBmA'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, Kgf4xNGn4VbYqvmk5H.cs	High entropy of concatenated method names: 'Q8CrC6P9o0', 'zJXrOrc8De', 'JI9Iy95l6s', 'aqbIqiokhx', 'xJXroCNBqB', 'wLKr4Hjje2', 'ig9rJcuvPa', 'vfTr0I77LI', 'j4kr9NsNHH', 'yn0r1XY54L'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, lOsHXAsovXZfc94OB5.cs	High entropy of concatenated method names: 'WktMU2cTbG', 'x5hM3yGQUM', 'gRpMwPZJe1', 'UPYMn1JRLN', 'LjlM2fgDtf', 'r2bMXgUbuY', 'Fr4MBT33D2', 'vBpMaqk9aq', 'ko9Mj8HQLZ', 'RyZM85rkTZ'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, LB6mXH10Ukg0a6Bg1Fb.cs	High entropy of concatenated method names: 'eZDWZyXd0D', 'LLPWd6yhiJ', 'z2uWb2hBwt', 'amAWKJoZMP', 'swnWmeVjEy', 'opGWY2eX1r', 'VdrWgRdSPU', 'zAMWThCyys', 'CN1W6qRsLr', 'K2QWhBSeYO'
Source: 0.2.SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.472b5f0.2.raw.unpack, OEUYs3ofI7bWQpg2kV.cs	High entropy of concatenated method names: 'G4oI7WkAoK', 'syeIA30dth', 'TuFIP7hPlF', 'rcdIFo7Hij', 'A5MI0jyQnJ', 'vchILcbcKO', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe PID: 7320, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 19F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 9060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: 9310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory allocated: A310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_019B096E rdtsc

3_2_019B096E

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7468			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2308			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1736378320.0000000001645000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1736378320.0000000001645000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_019B096E rdtsc

3_2_019B096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00417CC3 LdrLoadDll,

3_2_00417CC3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]	3_2_019F019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]	3_2_019F019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]	3_2_019F019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F019F mov eax, dword ptr fs:[00000030h]	3_2_019F019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]	3_2_0196A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]	3_2_0196A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A197 mov eax, dword ptr fs:[00000030h]	3_2_0196A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B0185 mov eax, dword ptr fs:[00000030h]	3_2_019B0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A14180 mov eax, dword ptr fs:[00000030h]	3_2_01A14180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A14180 mov eax, dword ptr fs:[00000030h]	3_2_01A14180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2C188 mov eax, dword ptr fs:[00000030h]	3_2_01A2C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2C188 mov eax, dword ptr fs:[00000030h]	3_2_01A2C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A461E5 mov eax, dword ptr fs:[00000030h]	3_2_01A461E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019EE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019EE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_019EE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019EE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019EE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A361C3 mov eax, dword ptr fs:[00000030h]	3_2_01A361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A361C3 mov eax, dword ptr fs:[00000030h]	3_2_01A361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A01F8 mov eax, dword ptr fs:[00000030h]	3_2_019A01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov eax, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A1E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A30115 mov eax, dword ptr fs:[00000030h]	3_2_01A30115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1A118 mov ecx, dword ptr fs:[00000030h]	3_2_01A1A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]	3_2_01A1A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]	3_2_01A1A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1A118 mov eax, dword ptr fs:[00000030h]	3_2_01A1A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A0124 mov eax, dword ptr fs:[00000030h]	3_2_019A0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196C156 mov eax, dword ptr fs:[00000030h]	3_2_0196C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44164 mov eax, dword ptr fs:[00000030h]	3_2_01A44164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44164 mov eax, dword ptr fs:[00000030h]	3_2_01A44164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01976154 mov eax, dword ptr fs:[00000030h]	3_2_01976154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01976154 mov eax, dword ptr fs:[00000030h]	3_2_01976154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]	3_2_01A04144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]	3_2_01A04144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A04144 mov ecx, dword ptr fs:[00000030h]	3_2_01A04144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]	3_2_01A04144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A04144 mov eax, dword ptr fs:[00000030h]	3_2_01A04144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A08158 mov eax, dword ptr fs:[00000030h]	3_2_01A08158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A080A8 mov eax, dword ptr fs:[00000030h]	3_2_01A080A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A360B8 mov eax, dword ptr fs:[00000030h]	3_2_01A360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A360B8 mov ecx, dword ptr fs:[00000030h]	3_2_01A360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197208A mov eax, dword ptr fs:[00000030h]	3_2_0197208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019680A0 mov eax, dword ptr fs:[00000030h]	3_2_019680A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F20DE mov eax, dword ptr fs:[00000030h]	3_2_019F20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0196C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B20F0 mov ecx, dword ptr fs:[00000030h]	3_2_019B20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0196A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019780E9 mov eax, dword ptr fs:[00000030h]	3_2_019780E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F60E0 mov eax, dword ptr fs:[00000030h]	3_2_019F60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]	3_2_0198E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]	3_2_0198E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]	3_2_0198E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E016 mov eax, dword ptr fs:[00000030h]	3_2_0198E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06030 mov eax, dword ptr fs:[00000030h]	3_2_01A06030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F4000 mov ecx, dword ptr fs:[00000030h]	3_2_019F4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A12000 mov eax, dword ptr fs:[00000030h]	3_2_01A12000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A020 mov eax, dword ptr fs:[00000030h]	3_2_0196A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196C020 mov eax, dword ptr fs:[00000030h]	3_2_0196C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01972050 mov eax, dword ptr fs:[00000030h]	3_2_01972050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6050 mov eax, dword ptr fs:[00000030h]	3_2_019F6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199C073 mov eax, dword ptr fs:[00000030h]	3_2_0199C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]	3_2_01968397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]	3_2_01968397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968397 mov eax, dword ptr fs:[00000030h]	3_2_01968397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199438F mov eax, dword ptr fs:[00000030h]	3_2_0199438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199438F mov eax, dword ptr fs:[00000030h]	3_2_0199438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]	3_2_0196E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]	3_2_0196E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E388 mov eax, dword ptr fs:[00000030h]	3_2_0196E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]	3_2_019783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]	3_2_019783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]	3_2_019783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019783C0 mov eax, dword ptr fs:[00000030h]	3_2_019783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0197A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F63C0 mov eax, dword ptr fs:[00000030h]	3_2_019F63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A63FF mov eax, dword ptr fs:[00000030h]	3_2_019A63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0198E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0198E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0198E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2C3CD mov eax, dword ptr fs:[00000030h]	3_2_01A2C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019803E9 mov eax, dword ptr fs:[00000030h]	3_2_019803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A143D4 mov eax, dword ptr fs:[00000030h]	3_2_01A143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A143D4 mov eax, dword ptr fs:[00000030h]	3_2_01A143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A1E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A1E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E3DB mov ecx, dword ptr fs:[00000030h]	3_2_01A1E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A1E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]	3_2_01A48324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A48324 mov ecx, dword ptr fs:[00000030h]	3_2_01A48324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]	3_2_01A48324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A48324 mov eax, dword ptr fs:[00000030h]	3_2_01A48324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196C310 mov ecx, dword ptr fs:[00000030h]	3_2_0196C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01990310 mov ecx, dword ptr fs:[00000030h]	3_2_01990310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]	3_2_019AA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]	3_2_019AA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA30B mov eax, dword ptr fs:[00000030h]	3_2_019AA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov ecx, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F035C mov eax, dword ptr fs:[00000030h]	3_2_019F035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F2349 mov eax, dword ptr fs:[00000030h]	3_2_019F2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1437C mov eax, dword ptr fs:[00000030h]	3_2_01A1437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A4634F mov eax, dword ptr fs:[00000030h]	3_2_01A4634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3A352 mov eax, dword ptr fs:[00000030h]	3_2_01A3A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A18350 mov ecx, dword ptr fs:[00000030h]	3_2_01A18350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov ecx, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A062A0 mov eax, dword ptr fs:[00000030h]	3_2_01A062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]	3_2_019F0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]	3_2_019F0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F0283 mov eax, dword ptr fs:[00000030h]	3_2_019F0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE284 mov eax, dword ptr fs:[00000030h]	3_2_019AE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE284 mov eax, dword ptr fs:[00000030h]	3_2_019AE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019802A0 mov eax, dword ptr fs:[00000030h]	3_2_019802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019802A0 mov eax, dword ptr fs:[00000030h]	3_2_019802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0197A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0197A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0197A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0197A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0197A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A462D6 mov eax, dword ptr fs:[00000030h]	3_2_01A462D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]	3_2_019802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]	3_2_019802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019802E1 mov eax, dword ptr fs:[00000030h]	3_2_019802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196823B mov eax, dword ptr fs:[00000030h]	3_2_0196823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196A250 mov eax, dword ptr fs:[00000030h]	3_2_0196A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01976259 mov eax, dword ptr fs:[00000030h]	3_2_01976259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A20274 mov eax, dword ptr fs:[00000030h]	3_2_01A20274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F8243 mov eax, dword ptr fs:[00000030h]	3_2_019F8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F8243 mov ecx, dword ptr fs:[00000030h]	3_2_019F8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2A250 mov eax, dword ptr fs:[00000030h]	3_2_01A2A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2A250 mov eax, dword ptr fs:[00000030h]	3_2_01A2A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]	3_2_01974260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]	3_2_01974260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974260 mov eax, dword ptr fs:[00000030h]	3_2_01974260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A4625D mov eax, dword ptr fs:[00000030h]	3_2_01A4625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196826B mov eax, dword ptr fs:[00000030h]	3_2_0196826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE59C mov eax, dword ptr fs:[00000030h]	3_2_019AE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A4588 mov eax, dword ptr fs:[00000030h]	3_2_019A4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01972582 mov eax, dword ptr fs:[00000030h]	3_2_01972582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01972582 mov ecx, dword ptr fs:[00000030h]	3_2_01972582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019945B1 mov eax, dword ptr fs:[00000030h]	3_2_019945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019945B1 mov eax, dword ptr fs:[00000030h]	3_2_019945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]	3_2_019F05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]	3_2_019F05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F05A7 mov eax, dword ptr fs:[00000030h]	3_2_019F05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019765D0 mov eax, dword ptr fs:[00000030h]	3_2_019765D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA5D0 mov eax, dword ptr fs:[00000030h]	3_2_019AA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA5D0 mov eax, dword ptr fs:[00000030h]	3_2_019AA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE5CF mov eax, dword ptr fs:[00000030h]	3_2_019AE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE5CF mov eax, dword ptr fs:[00000030h]	3_2_019AE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019725E0 mov eax, dword ptr fs:[00000030h]	3_2_019725E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC5ED mov eax, dword ptr fs:[00000030h]	3_2_019AC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC5ED mov eax, dword ptr fs:[00000030h]	3_2_019AC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0199E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06500 mov eax, dword ptr fs:[00000030h]	3_2_01A06500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44500 mov eax, dword ptr fs:[00000030h]	3_2_01A44500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]	3_2_0199E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]	3_2_0199E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]	3_2_0199E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]	3_2_0199E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E53E mov eax, dword ptr fs:[00000030h]	3_2_0199E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980535 mov eax, dword ptr fs:[00000030h]	3_2_01980535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978550 mov eax, dword ptr fs:[00000030h]	3_2_01978550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978550 mov eax, dword ptr fs:[00000030h]	3_2_01978550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]	3_2_019A656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]	3_2_019A656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A656A mov eax, dword ptr fs:[00000030h]	3_2_019A656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A44B0 mov ecx, dword ptr fs:[00000030h]	3_2_019A44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FA4B0 mov eax, dword ptr fs:[00000030h]	3_2_019FA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2A49A mov eax, dword ptr fs:[00000030h]	3_2_01A2A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019764AB mov eax, dword ptr fs:[00000030h]	3_2_019764AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019704E5 mov ecx, dword ptr fs:[00000030h]	3_2_019704E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]	3_2_019A8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]	3_2_019A8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A8402 mov eax, dword ptr fs:[00000030h]	3_2_019A8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA430 mov eax, dword ptr fs:[00000030h]	3_2_019AA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196C427 mov eax, dword ptr fs:[00000030h]	3_2_0196C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]	3_2_0196E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]	3_2_0196E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196E420 mov eax, dword ptr fs:[00000030h]	3_2_0196E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F6420 mov eax, dword ptr fs:[00000030h]	3_2_019F6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199245A mov eax, dword ptr fs:[00000030h]	3_2_0199245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196645D mov eax, dword ptr fs:[00000030h]	3_2_0196645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AE443 mov eax, dword ptr fs:[00000030h]	3_2_019AE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]	3_2_0199A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]	3_2_0199A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199A470 mov eax, dword ptr fs:[00000030h]	3_2_0199A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A2A456 mov eax, dword ptr fs:[00000030h]	3_2_01A2A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FC460 mov ecx, dword ptr fs:[00000030h]	3_2_019FC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A247A0 mov eax, dword ptr fs:[00000030h]	3_2_01A247A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1678E mov eax, dword ptr fs:[00000030h]	3_2_01A1678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019707AF mov eax, dword ptr fs:[00000030h]	3_2_019707AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0197C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F07C3 mov eax, dword ptr fs:[00000030h]	3_2_019F07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019747FB mov eax, dword ptr fs:[00000030h]	3_2_019747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019747FB mov eax, dword ptr fs:[00000030h]	3_2_019747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]	3_2_019927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]	3_2_019927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019927ED mov eax, dword ptr fs:[00000030h]	3_2_019927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FE7E1 mov eax, dword ptr fs:[00000030h]	3_2_019FE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970710 mov eax, dword ptr fs:[00000030h]	3_2_01970710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A0710 mov eax, dword ptr fs:[00000030h]	3_2_019A0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC700 mov eax, dword ptr fs:[00000030h]	3_2_019AC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A273C mov eax, dword ptr fs:[00000030h]	3_2_019A273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A273C mov ecx, dword ptr fs:[00000030h]	3_2_019A273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A273C mov eax, dword ptr fs:[00000030h]	3_2_019A273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EC730 mov eax, dword ptr fs:[00000030h]	3_2_019EC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC720 mov eax, dword ptr fs:[00000030h]	3_2_019AC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC720 mov eax, dword ptr fs:[00000030h]	3_2_019AC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FE75D mov eax, dword ptr fs:[00000030h]	3_2_019FE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970750 mov eax, dword ptr fs:[00000030h]	3_2_01970750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F4755 mov eax, dword ptr fs:[00000030h]	3_2_019F4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2750 mov eax, dword ptr fs:[00000030h]	3_2_019B2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2750 mov eax, dword ptr fs:[00000030h]	3_2_019B2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A674D mov esi, dword ptr fs:[00000030h]	3_2_019A674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A674D mov eax, dword ptr fs:[00000030h]	3_2_019A674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A674D mov eax, dword ptr fs:[00000030h]	3_2_019A674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978770 mov eax, dword ptr fs:[00000030h]	3_2_01978770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980770 mov eax, dword ptr fs:[00000030h]	3_2_01980770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974690 mov eax, dword ptr fs:[00000030h]	3_2_01974690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974690 mov eax, dword ptr fs:[00000030h]	3_2_01974690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A66B0 mov eax, dword ptr fs:[00000030h]	3_2_019A66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC6A6 mov eax, dword ptr fs:[00000030h]	3_2_019AC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_019AA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA6C7 mov eax, dword ptr fs:[00000030h]	3_2_019AA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019EE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019EE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019EE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019EE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F06F1 mov eax, dword ptr fs:[00000030h]	3_2_019F06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F06F1 mov eax, dword ptr fs:[00000030h]	3_2_019F06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B2619 mov eax, dword ptr fs:[00000030h]	3_2_019B2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198260B mov eax, dword ptr fs:[00000030h]	3_2_0198260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE609 mov eax, dword ptr fs:[00000030h]	3_2_019EE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A6620 mov eax, dword ptr fs:[00000030h]	3_2_019A6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A8620 mov eax, dword ptr fs:[00000030h]	3_2_019A8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197262C mov eax, dword ptr fs:[00000030h]	3_2_0197262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198E627 mov eax, dword ptr fs:[00000030h]	3_2_0198E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3866E mov eax, dword ptr fs:[00000030h]	3_2_01A3866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3866E mov eax, dword ptr fs:[00000030h]	3_2_01A3866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0198C640 mov eax, dword ptr fs:[00000030h]	3_2_0198C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A2674 mov eax, dword ptr fs:[00000030h]	3_2_019A2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA660 mov eax, dword ptr fs:[00000030h]	3_2_019AA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA660 mov eax, dword ptr fs:[00000030h]	3_2_019AA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F89B3 mov esi, dword ptr fs:[00000030h]	3_2_019F89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F89B3 mov eax, dword ptr fs:[00000030h]	3_2_019F89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F89B3 mov eax, dword ptr fs:[00000030h]	3_2_019F89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019829A0 mov eax, dword ptr fs:[00000030h]	3_2_019829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019709AD mov eax, dword ptr fs:[00000030h]	3_2_019709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019709AD mov eax, dword ptr fs:[00000030h]	3_2_019709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0197A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A49D0 mov eax, dword ptr fs:[00000030h]	3_2_019A49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A069C0 mov eax, dword ptr fs:[00000030h]	3_2_01A069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A29F9 mov eax, dword ptr fs:[00000030h]	3_2_019A29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A29F9 mov eax, dword ptr fs:[00000030h]	3_2_019A29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3A9D3 mov eax, dword ptr fs:[00000030h]	3_2_01A3A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FE9E0 mov eax, dword ptr fs:[00000030h]	3_2_019FE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A0892B mov eax, dword ptr fs:[00000030h]	3_2_01A0892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FC912 mov eax, dword ptr fs:[00000030h]	3_2_019FC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968918 mov eax, dword ptr fs:[00000030h]	3_2_01968918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968918 mov eax, dword ptr fs:[00000030h]	3_2_01968918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE908 mov eax, dword ptr fs:[00000030h]	3_2_019EE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EE908 mov eax, dword ptr fs:[00000030h]	3_2_019EE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F892A mov eax, dword ptr fs:[00000030h]	3_2_019F892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019F0946 mov eax, dword ptr fs:[00000030h]	3_2_019F0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A14978 mov eax, dword ptr fs:[00000030h]	3_2_01A14978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A14978 mov eax, dword ptr fs:[00000030h]	3_2_01A14978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FC97C mov eax, dword ptr fs:[00000030h]	3_2_019FC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44940 mov eax, dword ptr fs:[00000030h]	3_2_01A44940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B096E mov eax, dword ptr fs:[00000030h]	3_2_019B096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B096E mov edx, dword ptr fs:[00000030h]	3_2_019B096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019B096E mov eax, dword ptr fs:[00000030h]	3_2_019B096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]	3_2_01996962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]	3_2_01996962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01996962 mov eax, dword ptr fs:[00000030h]	3_2_01996962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FC89D mov eax, dword ptr fs:[00000030h]	3_2_019FC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970887 mov eax, dword ptr fs:[00000030h]	3_2_01970887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3A8E4 mov eax, dword ptr fs:[00000030h]	3_2_01A3A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0199E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC8F9 mov eax, dword ptr fs:[00000030h]	3_2_019AC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AC8F9 mov eax, dword ptr fs:[00000030h]	3_2_019AC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A408C0 mov eax, dword ptr fs:[00000030h]	3_2_01A408C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FC810 mov eax, dword ptr fs:[00000030h]	3_2_019FC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1483A mov eax, dword ptr fs:[00000030h]	3_2_01A1483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1483A mov eax, dword ptr fs:[00000030h]	3_2_01A1483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AA830 mov eax, dword ptr fs:[00000030h]	3_2_019AA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov ecx, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01992835 mov eax, dword ptr fs:[00000030h]	3_2_01992835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974859 mov eax, dword ptr fs:[00000030h]	3_2_01974859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01974859 mov eax, dword ptr fs:[00000030h]	3_2_01974859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A0854 mov eax, dword ptr fs:[00000030h]	3_2_019A0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06870 mov eax, dword ptr fs:[00000030h]	3_2_01A06870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06870 mov eax, dword ptr fs:[00000030h]	3_2_01A06870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01982840 mov ecx, dword ptr fs:[00000030h]	3_2_01982840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FE872 mov eax, dword ptr fs:[00000030h]	3_2_019FE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FE872 mov eax, dword ptr fs:[00000030h]	3_2_019FE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A24BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A24BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A24BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A24BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980BBE mov eax, dword ptr fs:[00000030h]	3_2_01980BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980BBE mov eax, dword ptr fs:[00000030h]	3_2_01980BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]	3_2_01990BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]	3_2_01990BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01990BCB mov eax, dword ptr fs:[00000030h]	3_2_01990BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]	3_2_01970BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]	3_2_01970BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970BCD mov eax, dword ptr fs:[00000030h]	3_2_01970BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199EBFC mov eax, dword ptr fs:[00000030h]	3_2_0199EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]	3_2_01978BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]	3_2_01978BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978BF0 mov eax, dword ptr fs:[00000030h]	3_2_01978BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FCBF0 mov eax, dword ptr fs:[00000030h]	3_2_019FCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1EBD0 mov eax, dword ptr fs:[00000030h]	3_2_01A1EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019EEB1D mov eax, dword ptr fs:[00000030h]	3_2_019EEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A38B28 mov eax, dword ptr fs:[00000030h]	3_2_01A38B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A38B28 mov eax, dword ptr fs:[00000030h]	3_2_01A38B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44B00 mov eax, dword ptr fs:[00000030h]	3_2_01A44B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199EB20 mov eax, dword ptr fs:[00000030h]	3_2_0199EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199EB20 mov eax, dword ptr fs:[00000030h]	3_2_0199EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01968B50 mov eax, dword ptr fs:[00000030h]	3_2_01968B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06B40 mov eax, dword ptr fs:[00000030h]	3_2_01A06B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A06B40 mov eax, dword ptr fs:[00000030h]	3_2_01A06B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A3AB40 mov eax, dword ptr fs:[00000030h]	3_2_01A3AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A18B42 mov eax, dword ptr fs:[00000030h]	3_2_01A18B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0196CB7E mov eax, dword ptr fs:[00000030h]	3_2_0196CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A24B4B mov eax, dword ptr fs:[00000030h]	3_2_01A24B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A24B4B mov eax, dword ptr fs:[00000030h]	3_2_01A24B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1EB50 mov eax, dword ptr fs:[00000030h]	3_2_01A1EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]	3_2_01A42B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]	3_2_01A42B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]	3_2_01A42B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A42B57 mov eax, dword ptr fs:[00000030h]	3_2_01A42B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A8A90 mov edx, dword ptr fs:[00000030h]	3_2_019A8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0197EA80 mov eax, dword ptr fs:[00000030h]	3_2_0197EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A44A80 mov eax, dword ptr fs:[00000030h]	3_2_01A44A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978AA0 mov eax, dword ptr fs:[00000030h]	3_2_01978AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01978AA0 mov eax, dword ptr fs:[00000030h]	3_2_01978AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C6AA4 mov eax, dword ptr fs:[00000030h]	3_2_019C6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01970AD0 mov eax, dword ptr fs:[00000030h]	3_2_01970AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A4AD0 mov eax, dword ptr fs:[00000030h]	3_2_019A4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019A4AD0 mov eax, dword ptr fs:[00000030h]	3_2_019A4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]	3_2_019C6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]	3_2_019C6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019C6ACC mov eax, dword ptr fs:[00000030h]	3_2_019C6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AAAEE mov eax, dword ptr fs:[00000030h]	3_2_019AAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019AAAEE mov eax, dword ptr fs:[00000030h]	3_2_019AAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019FCA11 mov eax, dword ptr fs:[00000030h]	3_2_019FCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019ACA38 mov eax, dword ptr fs:[00000030h]	3_2_019ACA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01994A35 mov eax, dword ptr fs:[00000030h]	3_2_01994A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01994A35 mov eax, dword ptr fs:[00000030h]	3_2_01994A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0199EA2E mov eax, dword ptr fs:[00000030h]	3_2_0199EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_019ACA24 mov eax, dword ptr fs:[00000030h]	3_2_019ACA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01A1EA60 mov eax, dword ptr fs:[00000030h]	3_2_01A1EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980A5B mov eax, dword ptr fs:[00000030h]	3_2_01980A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01980A5B mov eax, dword ptr fs:[00000030h]	3_2_01980A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01976A50 mov eax, dword ptr fs:[00000030h]	3_2_01976A50

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11E9008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	37%	ReversingLabs
SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	34%	Virustotal	Browse
SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1737300139.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe, 00000000.00000002.1742583735.0000000007532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482798
Start date and time:	2024-07-26 07:26:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 38 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:26:59	API Interceptor	1x Sleep call for process: SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe modified
01:27:00	API Interceptor	15x Sleep call for process: powershell.exe modified
01:27:17	API Interceptor	3x Sleep call for process: RegSvcs.exe modified

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3785452578096224
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:fLHyIFKL3IZ2KRH9OugEs
MD5:	D10884D7627A0A4893E1B6C2F565A449
SHA1:	55F646D6B03779177151995CB278F7D5C462D1E5
SHA-256:	C543A7BE459357816151B9A2A78152BBB2894701ADEBDD33AD0025F618A7001A
SHA-512:	0463596863764F848100DF71AEDA38F33A92CE005C6D7D36FB7B348051B09B7CFF0186A6DC310837B4495E9BB0F5F961B825201537A03D5526C06B14A32CF89F
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wco4vy5.omd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtvw3g1f.4rr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryfqyz2j.vz3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxmv10ti.b1j.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.858650598359096
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
File size:	752'128 bytes
MD5:	73457bb8a567efa5f99f7c4962ce1393
SHA1:	a6924039c86ccdaa16d2221da09d713de8cf9996
SHA256:	7942971e2a6b2af6bf4b1d0cc397fa9d67c2f3a90bf5cc241ff3a3ed362f5d67
SHA512:	7f220db86caf8bc9437d2d8dc5ed2feebe2df4b0561a36723c664d8e3ef770b7e2708cf215c4d9b9e95877d0c855f1aa25ad0c3c22359beaaf8545b29851170c
SSDEEP:	12288:77/DlVBlYh5UcISRzhSPknW0N7CGw54aFvwj01Z0x2nvzdkby2nkqrxXgqgENZgO://DlVBlYzRIaMcWr5Z6j070xyxkbXkuZ
TLSH:	8AF4132D5A8ADF27CF7D0B78E011240D0377A166E286F79F1AC194ED0D12BE8C95AB53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................p..........>.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b8e3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A3091A [Fri Jul 26 02:25:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8dec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb6e44	0xb7000	83e84e430d0095f9d7c661701ef4ac20	False	0.91448807846653	data	7.865847930042044	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x600	0x600	d5c2db30aad9c6174b6827c7a048b13d	False	0.4459635416666667	data	4.204081900159054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	05973a1d0bc8454b171a00e3a350a2a4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xba090	0x354	data			0.4471830985915493
RT_MANIFEST	0xba3f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	01:26:57
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"
Imagebase:	0xfb0000
File size:	752'128 bytes
MD5 hash:	73457BB8A567EFA5F99F7C4962CE1393
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:26:59
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe"
Imagebase:	0x2e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:26:59
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1952219358.0000000001840000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:26:59
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:27:01
Start date:	26/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	129
Total number of Limit Nodes:	10

Executed Functions

Function 05F54420 Relevance: 15.1, Strings: 10, Instructions: 2603COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05F57033
4'^q, xrefs: 05F5540B
4|cq, xrefs: 05F57223
4'^q, xrefs: 05F562F1
4'^q, xrefs: 05F55283
(o^q, xrefs: 05F544F6
4'^q, xrefs: 05F570BE
4'^q, xrefs: 05F5708E
$^q, xrefs: 05F570E0
4|cq, xrefs: 05F57208

Memory Dump Source

Source File: 00000000.00000002.1742548483.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-2723476363
Opcode ID: 7e6c306731a55b8baa5dd5782f64852b5053c4b87bcaab1416a0301e13b43ff2
Instruction ID: 9fb3fc3507bf3ee66da960aa88288c68d8bd952c7fe2831003ec009f51746f83
Opcode Fuzzy Hash: 7e6c306731a55b8baa5dd5782f64852b5053c4b87bcaab1416a0301e13b43ff2
Instruction Fuzzy Hash: D543D674A01219CFCB64DF68C988A9DB7B2BF88310F5585D9E919AB361DB34ED81CF40

Function 07E779B9 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00ccf011545ec505a3a3a8dfbe3d119f39dab5c2d6c76e5aa2a87d475d18fd1
Instruction ID: fa9dc5e9961c4a0c8d5f14f18e0b15cd13725f5276e03399ebbf6f329c80b9d3
Opcode Fuzzy Hash: b00ccf011545ec505a3a3a8dfbe3d119f39dab5c2d6c76e5aa2a87d475d18fd1
Instruction Fuzzy Hash: 587116B1D45629CBEB24CF66C8407E9BBB6BF9A300F14D1EAD409A6250EB705AC5CF40

Function 07E70006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e135400f754bffd89583a68a9841fa64b19ad67a1c688424323941c991f0397
Instruction ID: adb61388301435d754c1cef7ed2fa996205d7b7c2b555d0e9e8d5a6edc04566e
Opcode Fuzzy Hash: 3e135400f754bffd89583a68a9841fa64b19ad67a1c688424323941c991f0397
Instruction Fuzzy Hash: 283132B1D093448FDB19CFA6C8153DEBFF6AF8A310F09C0A6D444A6256DB740946CFA1

Function 07E70040 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43107d906e8e160ecd85f9d60d278921bad9776096719160bcf81775aa9cd94
Instruction ID: a93e393b255d9e8d0626186d1f91f7d073937752a8a60f54b7dad328d5e9f373
Opcode Fuzzy Hash: b43107d906e8e160ecd85f9d60d278921bad9776096719160bcf81775aa9cd94
Instruction Fuzzy Hash: BF21B0B1E056189BEB18CFABC9543DEFAF6AFC9314F14D06AD40866264DB740A46CF90

Function 07E77F28 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc8eeb81f05ba5004f7a805e5611b9718d13a9f978580dea9983110eed952ab
Instruction ID: 9df87093eb2a91d677c6d7a224b60e40f844ac4dd9793446dc506e76a80fd9f6
Opcode Fuzzy Hash: 1cc8eeb81f05ba5004f7a805e5611b9718d13a9f978580dea9983110eed952ab
Instruction Fuzzy Hash: 92F030B480E744DFCB629F3898857A1BB74BF17221F0433D688559A257C7208601CB39

Function 07E7803D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3848c3671cbb62b1a56f11d043a56a1080db771ffc0751e2987fd2e42948bd
Instruction ID: d4e46e10c131d86c3b3c13a7705750a00bf96148ac3f63114e7ec9d03c63c847
Opcode Fuzzy Hash: 1e3848c3671cbb62b1a56f11d043a56a1080db771ffc0751e2987fd2e42948bd
Instruction Fuzzy Hash: D4E0B6B481F749CBC7409F6094565F8BBB86F1B324F1032959859A7396EB209A84CA24

Function 07E7596F Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E75BA6

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3e48ed57de8bdf6d517721545be1e0c5c1d050ec30d80d59be137265cd2ca37b
Instruction ID: bdf1cd4fd6c77b5ecc7a88d2421eaa03c9ccfc47df0aec402e1d7265dc12ac82
Opcode Fuzzy Hash: 3e48ed57de8bdf6d517721545be1e0c5c1d050ec30d80d59be137265cd2ca37b
Instruction Fuzzy Hash: 429150B1D0121ADFDB10CF68C8817DDBBB2BF48314F1485A9E808A7250D7749995CF91

Function 07E75970 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E75BA6

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 25b4b7d0a250808641fa37591a8920b20a20a3719a71940e24a4fefe88ed7ecd
Instruction ID: 52eab698d1aa26aef0268d7fed8cce6d2ead6ab3eae477b723eb84867bfae03a
Opcode Fuzzy Hash: 25b4b7d0a250808641fa37591a8920b20a20a3719a71940e24a4fefe88ed7ecd
Instruction Fuzzy Hash: C3915FB1D0121ADFDB10CF68C881BDDBBB2BF48314F1485A9E808A7250D7749995CF91

Function 019F4DC8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019F6301

Memory Dump Source

Source File: 00000000.00000002.1736937627.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9f807cb41deab566ed45dba5754922202aadf061b99fc9a6e7b77a169f2de8a
Instruction ID: 6e984830a36a37a6cff8b17867b4249502cc3c6ed97915cd892f81eda229048f
Opcode Fuzzy Hash: d9f807cb41deab566ed45dba5754922202aadf061b99fc9a6e7b77a169f2de8a
Instruction Fuzzy Hash: 9341DDB0C00719DEDB24DFA9C844B9EBBF5FF48304F24846AD508AB255DBB56949CF90

Function 019F6244 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 019F6301

Memory Dump Source

Source File: 00000000.00000002.1736937627.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0ce5b467087df0c941525bfe55c62dce0f196c9898f22be52ee27ae9d76bc187
Instruction ID: 3484e2556b9d8436da20c2b2b2433d6fa4a54271b9571ca1a385a58f0e655446
Opcode Fuzzy Hash: 0ce5b467087df0c941525bfe55c62dce0f196c9898f22be52ee27ae9d76bc187
Instruction Fuzzy Hash: 5141FEB0C00719DEDB24DFA9C844B9DBBF5FF48304F24806AD508AB255DBB56949CF90

Function 07E756E2 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E75778

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ca6a9fdef452e6c2a3b4bdc7d4b3dade4d78ccd54687aab86f1b7024aecb6d17
Instruction ID: 0c971dbdfc86a6867026ebf5aae472a44b761fb5089014ae1cd17a3841d8c339
Opcode Fuzzy Hash: ca6a9fdef452e6c2a3b4bdc7d4b3dade4d78ccd54687aab86f1b7024aecb6d17
Instruction Fuzzy Hash: AE2124B19003599FCB10DFA9C881BEEBBF5FB48314F108429E958A7250C7789954CBA5

Function 07E756E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E75778

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 54a284705012c0edbae0ad2c87bd2f7a9c52acfc9f14c7242bf464570d744def
Instruction ID: ad29bf0ce694c358132c54c4c09350490ba13f31046cbabf7543b8fb64acdd65
Opcode Fuzzy Hash: 54a284705012c0edbae0ad2c87bd2f7a9c52acfc9f14c7242bf464570d744def
Instruction Fuzzy Hash: B32155B1900359DFCB10CFA9C881BEEBBF5FF48314F10842AE918A7250C778A954CBA4

Function 07E757D0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E75858

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a3c2475803f1fdd563f4e123c4494b29a8edb77d973008681602d56322ac1162
Instruction ID: 12cecc75b2b57d678a0757523ad9eabb4ac163901bb9bdfeebfd27ba4aa0891c
Opcode Fuzzy Hash: a3c2475803f1fdd563f4e123c4494b29a8edb77d973008681602d56322ac1162
Instruction Fuzzy Hash: 482125B18003599FCB10DFAAC880AEEFBF5FF48310F10842AE959A7250D7389954CBA4

Function 07E75111 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E75196

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e39ff6b40f6bbac1ebd2667e983fcbf0db64529f0780bf80cde694defa131009
Instruction ID: 35ae8432439826eece9c180c1b96b514de82c46dfc0a2a482f5e693116660e78
Opcode Fuzzy Hash: e39ff6b40f6bbac1ebd2667e983fcbf0db64529f0780bf80cde694defa131009
Instruction Fuzzy Hash: 4F2157B19003099FDB20DFAAC4857EEBBF4EF49324F148429D458A7241C778A984CFA4

Function 07E757D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E75858

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2467075797a7083d78b3c22f1661b3b413237ed8c2d60d93ab50bd277a779f70
Instruction ID: 87584dd72477e4d4ef9bc590284ccaed16fcbf1c27c38db649c4115f90f00404
Opcode Fuzzy Hash: 2467075797a7083d78b3c22f1661b3b413237ed8c2d60d93ab50bd277a779f70
Instruction Fuzzy Hash: D12125B18003599FDB10DFAAC881AEEFBF5FF48320F10842AE558A7250C7789954CBA4

Function 07E75118 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E75196

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 29681cb83b7e5b57cdb35449282b1599fdc5f6741e0cab29e84be7066c2e90ef
Instruction ID: 280c669ba898c7a3b1020d9c7c304354b86c9b1107d97e370ca6c8b65c4d8b9b
Opcode Fuzzy Hash: 29681cb83b7e5b57cdb35449282b1599fdc5f6741e0cab29e84be7066c2e90ef
Instruction Fuzzy Hash: FC2129B1D003099FDB10DFAAC4857EEBBF4EF48324F148429D559A7241D7789984CFA5

Function 07E75622 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E75696

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 69fa9717472ca0f3374f5765ca54da47e9338fc394a61a62a0165a78310c7bbe
Instruction ID: 54b66e82e319b784e4d4df9aa26f0ee19efc0163e99dd188b710cdfee2684e68
Opcode Fuzzy Hash: 69fa9717472ca0f3374f5765ca54da47e9338fc394a61a62a0165a78310c7bbe
Instruction Fuzzy Hash: 10116AB1900249DFDB20DFAAC844BDEBFF5EF48320F148419E559A7250C775A950CFA5

Function 07E75060 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E750CA

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8e094f37c3c116bbeb869eb7916b05da039f4a37b21b2a02ad93cc4e963536f4
Instruction ID: f041228fb7d2f3744fc60a96d1b654dbb35fd8ef6df2dfcf9d405a549fb13e86
Opcode Fuzzy Hash: 8e094f37c3c116bbeb869eb7916b05da039f4a37b21b2a02ad93cc4e963536f4
Instruction Fuzzy Hash: F01188B59003498FCB20DFAAC4457EEFBF4EF89324F20841AD559A7240D735A944CFA4

Function 07E75628 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E75696

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7cab41ada2120cb8db7047ffbef0640fb1f51e6f515661c67c658841640a406e
Instruction ID: 7fef59b6fe1773413d2a38a62fc7bdb7032d1814966eb1510a7d5b5218ed3906
Opcode Fuzzy Hash: 7cab41ada2120cb8db7047ffbef0640fb1f51e6f515661c67c658841640a406e
Instruction Fuzzy Hash: BF1167B18002499FCB20DFAAC844BDEBFF5EF88320F208819E519A7250C775A950CFA4

Function 07E75068 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E750CA

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: baa30abb55a1dc5eabf83ed248e29d75e14f2b0fc3c29e21fe7db318aaf02d58
Instruction ID: ea4b5d3e5750f0a8d974b833222d2ffd2d4e2ef3962b444b12f691f84161f941
Opcode Fuzzy Hash: baa30abb55a1dc5eabf83ed248e29d75e14f2b0fc3c29e21fe7db318aaf02d58
Instruction Fuzzy Hash: B21136B19003498FCB20DFAAC4457DEFBF5EB88324F208829D559A7250DB75A944CFA4

Function 07E76CE4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E78B75

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 920310d2112276b055c61eb4294919b6df8a3d92d911c5ef4f34de6d2461128a
Instruction ID: ae188fb8f5ee758b3d009ca9030bb49dff042d90ea39f10293ff7ed97094ad49
Opcode Fuzzy Hash: 920310d2112276b055c61eb4294919b6df8a3d92d911c5ef4f34de6d2461128a
Instruction Fuzzy Hash: 8511F5B5800349DFCB10DF9AC489BDEBBF8EB58324F108459E554A7210D375A944CFA5

Function 07E78B10 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E78B75

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed420ebccbf3a4150114d65680ed1e26d27d65fc6c75016ac083944b30ff344b
Instruction ID: 197e7bfcbf8b898c24c3614f44542cb7a6ccfa6f470652fdbacb0f738652d220
Opcode Fuzzy Hash: ed420ebccbf3a4150114d65680ed1e26d27d65fc6c75016ac083944b30ff344b
Instruction Fuzzy Hash: 2A1136B9800349DFCB10CF9AC485BDEBFF8EB48324F10841AE558A7610C374A584CFA5

Function 0196D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736675826.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082bdbbd05da2b4cc8dc12835bde94777cb27bf115615388c58361f116c6813b
Instruction ID: db3126f8ca4f9f460dc74b976de769a84440d1d498a2874878d2cc27a315b03e
Opcode Fuzzy Hash: 082bdbbd05da2b4cc8dc12835bde94777cb27bf115615388c58361f116c6813b
Instruction Fuzzy Hash: 7721F571604200DFDB05DF98D5C0F26BBA9FB84324F24C96DD99D4B256C336D446CA71

Function 0196D0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736675826.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e18c68b8ac27b01c67dfeffd088ea08df9d78ba7b531850802e07e036103625
Instruction ID: e11a16eedd1d786bc9399940087230451c2b501cfafb0d98717f4c97b76cdad3
Opcode Fuzzy Hash: 9e18c68b8ac27b01c67dfeffd088ea08df9d78ba7b531850802e07e036103625
Instruction Fuzzy Hash: FD213471604200EFDB09DF58C9C0F26BBA9FB84314F20C96DD88D4B256C3BAD446CAB1

Function 0196D0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736675826.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 99d598acbd9ee493f46a57ecb4448e907e700a9a2d69a886af6927eb4efc1e2a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 1211DD75604280DFDB06CF54D9C4B15BFB6FB84314F28C6AAD84D4B256C37AD40ACBA1

Function 0196D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736675826.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_196d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3c10890001e5f486f56a6de0993439a9c51f530019dcf0aec1611429daebf5c4
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 1011BB75604280DFDB12CF54C5C4B15BFA5FB84224F28C6AAD8894B296C33AD44ACB61

Function 0195D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736630513.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_195d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef5e2bc58696e79ce7ba03d9973c2fff7e3c833e27278f6b3355e614c933c30
Instruction ID: 64148331d1f94cafa2a9755cf9fb54607c11957ae51edb5d7ce4a124a07e9412
Opcode Fuzzy Hash: 9ef5e2bc58696e79ce7ba03d9973c2fff7e3c833e27278f6b3355e614c933c30
Instruction Fuzzy Hash: 0401F7B10083809AE760CB69CD84B67BFDCEF41321F18C86AED0C6A286D3799840C7B1

Function 0195D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736630513.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_195d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303bf7207f9bacbb79f1d37936c9e784f0c86b8bf3d46ad3c913822fe4f5baf7
Instruction ID: 53ba26523c8273150a3cf0e5f006a82812a40335f5b4ed39a45adb74413aba2f
Opcode Fuzzy Hash: 303bf7207f9bacbb79f1d37936c9e784f0c86b8bf3d46ad3c913822fe4f5baf7
Instruction Fuzzy Hash: 44F0C2714043809EE7608A1ACD84B62FFECEF40625F18C45AED0C5E286D3799844CBB0

Non-executed Functions

Function 05F53558 Relevance: 7.0, Strings: 5, Instructions: 721COMMON

Download Yara Rule

Strings

,bq, xrefs: 05F53B6F
,bq, xrefs: 05F53B7F
Hbq, xrefs: 05F53E58
(o^q, xrefs: 05F53DEB
(o^q, xrefs: 05F53DE1

Memory Dump Source

Source File: 00000000.00000002.1742548483.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: 632926040db55f859e192f0aaf8854a01806acdc0a510b13e5ef7eb4f13b1ffe
Instruction ID: c0d92b4841d7bf8c55ad7c0a75eb19c97406dddf7989bfd335712f33edfccb65
Opcode Fuzzy Hash: 632926040db55f859e192f0aaf8854a01806acdc0a510b13e5ef7eb4f13b1ffe
Instruction Fuzzy Hash: 1B526035B001159FCB04DF6DC488A6EBBF6BF847A0B158569ED069B3A4DB35EC41CB90

Function 07E7A42C Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac63b71ec8397e08edfbb3f3503f6ecb2b637cab246c92115bbe4fc0716732d
Instruction ID: 7f5eb6bb5f87a1b7187838eccb0c222770e8de59805d37e0014e2b396e29bd89
Opcode Fuzzy Hash: eac63b71ec8397e08edfbb3f3503f6ecb2b637cab246c92115bbe4fc0716732d
Instruction Fuzzy Hash: C0C19CB17026018FDB29EB79C450B6EB7F6AF89704F15847DD2498B290CF35E841CB51

Function 07E7A788 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02541f24d6154d0f2e79b989f52ce239b6dde5827b6504a8b7c19214cde5856
Instruction ID: 715919aae06d0d6cf2024b8c7b10006b59d289b67bd3bf5d9af3fcd7e619cf39
Opcode Fuzzy Hash: c02541f24d6154d0f2e79b989f52ce239b6dde5827b6504a8b7c19214cde5856
Instruction Fuzzy Hash: A2D18BB1B026058FDB19EB79C554BAEB7E6AF88304F14847DD2498B290DF35E841CB91

Function 07E74798 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab1ef2e4e97974636ff836fbcac94e408b7a7fe47c0aeeb6d2b5189516a38e7
Instruction ID: 95054391964c411652dab17398be5593ebdb2abe765c78867ba90def13ed480a
Opcode Fuzzy Hash: 0ab1ef2e4e97974636ff836fbcac94e408b7a7fe47c0aeeb6d2b5189516a38e7
Instruction Fuzzy Hash: 99E1E7B4E111598FCB14CFA9C5809AEBBF6FF89304F249169E418AB356D730AD41CF61

Function 07E73498 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d37611a76fb91f775adf5a707b4f425417e195fa51bb8ad52ef0c758ebbc5d
Instruction ID: c154a32e4d248fe112fff364bf8e9c0ab6efe7093c5dc0d42c44da8aecc506e4
Opcode Fuzzy Hash: 63d37611a76fb91f775adf5a707b4f425417e195fa51bb8ad52ef0c758ebbc5d
Instruction Fuzzy Hash: C7E107B4E011598FCB14CFA9C5809AEFBF6FF89304F249169E418AB356D730A941DFA1

Function 07E72C28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c73f5dab03d9f13920bc85c0e47e4a4ada34fa264cf2caf1756aa70acc72151
Instruction ID: 5b1513cd456a892f23ea14c55600aa1b9b4ed469e40436c1aa4882292949ad93
Opcode Fuzzy Hash: 2c73f5dab03d9f13920bc85c0e47e4a4ada34fa264cf2caf1756aa70acc72151
Instruction Fuzzy Hash: 58E1F7B4E011198FCB14CFA9C5809AEFBF6FB89304F249169E518AB356D731A942CF61

Function 07E751F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfea09587e555bbef7e0e7169639bf9a392b88e4b4dcf22c200e9e154c9a34c4
Instruction ID: 7828c16aff2107c493def400a662546d032d009b2225a742a3ed5e1a04aee6a2
Opcode Fuzzy Hash: dfea09587e555bbef7e0e7169639bf9a392b88e4b4dcf22c200e9e154c9a34c4
Instruction Fuzzy Hash: 74E1F6B4E112198FCB14CFA9C5809AEBBF6FF89304F249169E419AB356D730AD41CF61

Function 07E73060 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9440c7b555149982f7fec9c77b1cb28a0397179aaa8011f4148aec14d0c45fa9
Instruction ID: 23cfcc7296aef915a8943cfc470bd4be0be028d9d160d61dc5f5f1610e5fd4ca
Opcode Fuzzy Hash: 9440c7b555149982f7fec9c77b1cb28a0397179aaa8011f4148aec14d0c45fa9
Instruction Fuzzy Hash: BBE107B4E011598FCB14CFA9C5809AEFBF6FF89304F249169E418AB356DB30A941DF61

Function 05F5B030 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742548483.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5f31b27e3befb1b50a3ef3a92ab492f4798a4df6895c5b0f8a4e4870ec3b17
Instruction ID: c12f4b4fe1fe8913a6b8da8bb0e574f713b943acc385db9069cca251c0de947d
Opcode Fuzzy Hash: 4c5f31b27e3befb1b50a3ef3a92ab492f4798a4df6895c5b0f8a4e4870ec3b17
Instruction Fuzzy Hash: 37D10471C1075A8ACB01EB64D950AADF775FF99300F10DB9AE4493B220EB706AD5CB81

Function 05F5B040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742548483.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ab617b5313f5027f0911cee02e5e0377f0fce8ecddde3c67d1a476df1d101e
Instruction ID: 01cd3d629115e47bb44b95d6ef6b420024e7717c92809c11e2dc0f2de192837a
Opcode Fuzzy Hash: c7ab617b5313f5027f0911cee02e5e0377f0fce8ecddde3c67d1a476df1d101e
Instruction Fuzzy Hash: 3AD1F471C10B5A8ACB01EB74D950AADF775FF99300F10DB9AE5493B220EB706AD5CB81

Function 07E72C08 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420fcfa14ed4202bbb231105ada2a99206ccd211d35bd92fd2180cf0d8f3c678
Instruction ID: b594af303a0ce21970355b46cb07da3b0d3f3f2bbae763dc0fdc0afdfe24cfa6
Opcode Fuzzy Hash: 420fcfa14ed4202bbb231105ada2a99206ccd211d35bd92fd2180cf0d8f3c678
Instruction Fuzzy Hash: CF513CB1E012598FCB14CFA9C5805AEFBF6FF89304F2491AAD508AB316D7359942CF61

Function 07E73050 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2493b461672446d53a30bf517dcd1a7ee69f8d6881c67c5fbcf69294f0618fe8
Instruction ID: a99727330d3f0ccc30f827eaf240d934a07c4b2ad4c8d061585014d617091e7c
Opcode Fuzzy Hash: 2493b461672446d53a30bf517dcd1a7ee69f8d6881c67c5fbcf69294f0618fe8
Instruction Fuzzy Hash: 8C511AB0E012598FCB14CFA9C5815AEFBF6FF89304F24916AD418A7215D7319A41CF61

Function 07E73488 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dcfa33db0be3f7df2f3cfa42a87ec9bc39721401e34919b60fd6effd326248
Instruction ID: 2abb2d3fbdf9ff2a7396b5d22f20a04a047dca203fb2da8e50c8f5a5ec37b653
Opcode Fuzzy Hash: 67dcfa33db0be3f7df2f3cfa42a87ec9bc39721401e34919b60fd6effd326248
Instruction Fuzzy Hash: B2511BB0E012598FCB14CFA9D5805AEFBF6BF89304F24916AD418A7356D7309942DFA1

Function 07E79879 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745248473.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5af1567dd8840bc59801f9c43342a1d6f86efe729585054a0ba4c6d1382865b
Instruction ID: aed62af11b8f19de1a6125a9e22d2e3c5a1355d8d3e4a99b026a118b43ac8526
Opcode Fuzzy Hash: c5af1567dd8840bc59801f9c43342a1d6f86efe729585054a0ba4c6d1382865b
Instruction Fuzzy Hash: 8B3106B1A09651AFE704CB3AD8553BABBE9EF87310F089466D049CB247D738A441CB51

Analysis Process: RegSvcs.exePID: 7500, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	6%
Signature Coverage:	10%
Total number of Nodes:	100
Total number of Limit Nodes:	8

Executed Functions

Function 00417CC3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417D35

Memory Dump Source

Source File: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 200a55004be65089ecd2a56d9b4ab745bfe74c09930cab580bd894bfa4596f77
Instruction ID: a774e3fa01a40c54f9b4cac4e207b1417f9bb8ca7cd0c840ad1d749b56d2b5e7
Opcode Fuzzy Hash: 200a55004be65089ecd2a56d9b4ab745bfe74c09930cab580bd894bfa4596f77
Instruction Fuzzy Hash: 740152B1E0010DA7DB10DAA5DD42FEEB3789B54308F4041AAE90897240F674EB488795

Function 0042C1F3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C22A

Memory Dump Source

Source File: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 75f4d463c0e160502a9a9bfb9c5b5f3822e614794f81f8cab96bdc07b47eab02
Instruction ID: 10542a2f49cb64583fb17cde8323555dc3807db89c2a398850aaa0c0f34641c4
Opcode Fuzzy Hash: 75f4d463c0e160502a9a9bfb9c5b5f3822e614794f81f8cab96bdc07b47eab02
Instruction Fuzzy Hash: 67E04F322012147BE210BA6AEC41F97775CDBC5714F404419FA08A7285C6B57A4187F4

Function 019B2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019B2B6A

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1450a16c9479ada7d0e3daff7e1a78b0ee8a75826d7cef3d806a0ca601e89144
Instruction ID: 9403930d3818d4bdc237e46fcd02fc9553769bdc08c1edcd2b0f5a2a5b06ee0e
Opcode Fuzzy Hash: 1450a16c9479ada7d0e3daff7e1a78b0ee8a75826d7cef3d806a0ca601e89144
Instruction Fuzzy Hash: D3900261202500034105715D4418616804E97E0601B55C025E1454590DC52689916226

Function 019B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019B2DFA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bdbe98773f166c4b03beb97bc556d95f5a3b4bbdd9d7530fe07f9f36ae1c034a
Instruction ID: b6ba6445005381e23c074b49bc5fc46735f2de8aa1404d9ada11d2f24677947e
Opcode Fuzzy Hash: bdbe98773f166c4b03beb97bc556d95f5a3b4bbdd9d7530fe07f9f36ae1c034a
Instruction Fuzzy Hash: A690023120150413D111715D4508707404D97D0641F95C416A0864558DD6578A52A222

Function 019B2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019B2C7A

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 276d53b872da03feb236c8e65ec828f7c2057d930a355b36b3bfa19a0e590416
Instruction ID: e4db71e05a550855e1bb56a6521eee0d899e815798e4ab91d795cab115bd0634
Opcode Fuzzy Hash: 276d53b872da03feb236c8e65ec828f7c2057d930a355b36b3bfa19a0e590416
Instruction Fuzzy Hash: 7390023120158802D110715D840874A404997D0701F59C415A4864658DC69689917222

Function 019B35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019B35CA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9ae0fa1434d86dad15fbea305fea12893509184904a1354b41e5a44900b9ee7
Instruction ID: 09062d2f6dc61e30a108a396d8538426a5c6145c516dfae7210b717ebb33cf4a
Opcode Fuzzy Hash: c9ae0fa1434d86dad15fbea305fea12893509184904a1354b41e5a44900b9ee7
Instruction Fuzzy Hash: 6E90023160560402D100715D4518706504997D0601F65C415A0864568DC7968A5166A3

Function 0042C553 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,3B6279BD,00000007,00000000,00000004,00000000,00417550,000000F4), ref: 0042C58F

Memory Dump Source

Source File: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d315f5d52e97af43139a8f28101686a455bb8ff6753f8eba57bc5b4e2d1424b4
Instruction ID: 194b7f438af6dc5db34cd7e29bea64f2f6d07f97d63c2a2c92fd214a05fdb5f2
Opcode Fuzzy Hash: d315f5d52e97af43139a8f28101686a455bb8ff6753f8eba57bc5b4e2d1424b4
Instruction Fuzzy Hash: 20E092B12043087BD610EE59EC41FDB77ACEFC9714F000419FA08A7241D675B9508BB9

Function 0042C503 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E69E,?,?,00000000,?,0041E69E,?,?,?), ref: 0042C53F

Memory Dump Source

Source File: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 748aeb7fe57182c7196394271cc7a69a84ec0951980bf887add9fe2d85387475
Instruction ID: aa0953a62e29a1f1f3903e4f9a934a41acc35e0f006fb568b91bc15748ece4fc
Opcode Fuzzy Hash: 748aeb7fe57182c7196394271cc7a69a84ec0951980bf887add9fe2d85387475
Instruction Fuzzy Hash: 45E092712002147BD614EF59EC41FDB37ACEFC5714F000459F908A7282D674BA50CBB9

Function 0042C5A3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C5D7

Memory Dump Source

Source File: 00000003.00000002.1951644033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d422e3905864ab087cf415dd17810084041c3c06ce3d60b6044d4843c8329af0
Instruction ID: b0682e9a8b0ba54fa551993d38dc3a2c3a77ab911a1776be061ed2f614c4f8ea
Opcode Fuzzy Hash: d422e3905864ab087cf415dd17810084041c3c06ce3d60b6044d4843c8329af0
Instruction Fuzzy Hash: 37E08C326002147BD620FA6AEC42FDB776CDFC5718F40441AFA0CA7281C6B5BA048BF4

Function 019B2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019B2C24

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59c926e8ad3f749f031143552928866c23f695cce07cbd687ae47eba1740bac4
Instruction ID: 2671905b16960eb7a1cf2b8e55f745b529dd6f263d206da91a652c66d3e9cd7e
Opcode Fuzzy Hash: 59c926e8ad3f749f031143552928866c23f695cce07cbd687ae47eba1740bac4
Instruction Fuzzy Hash: 6CB09B71D015C5C5DA11E764470C7177A44B7D0702F15C065D2470641F4739D5D1E276

Non-executed Functions

Function 019F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019F3187
TracingFlags, xrefs: 019F2549
MaxLoaderThreads, xrefs: 019F24EC
@, xrefs: 019F2942
CFGOptions, xrefs: 019F2967
ExecuteOptions, xrefs: 019F25A0
GlobalFlag, xrefs: 019F2F3F, 019F3059
FrontEndHeapDebugOptions, xrefs: 019F2489
Initializing the application verifier package failed with status 0x%08lx, xrefs: 019F3176
GlobalFlag2, xrefs: 019F2FC0
MaxDeadActivationContexts, xrefs: 019F2D82
MinimumStackCommitInBytes, xrefs: 019F2BB0
UseImpersonatedDeviceMap, xrefs: 019F251C
DisableExceptionChainValidation, xrefs: 019F275F
@, xrefs: 019F2B74
LdrpInitializeExecutionOptions, xrefs: 019F317D
UnloadEventTraceDepth, xrefs: 019F24C0
RaiseExceptionOnPossibleDeadlock, xrefs: 019F2579
ShutdownFlags, xrefs: 019F24A1
DisableHeapLookaside, xrefs: 019F246D

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 61ac5e61a6c15b2e77e0475ab8e2b14485ec07057437fd3453d6f4601f16f79a
Instruction ID: c6dcb19be0b64ec18b71404e75449d3c0f492944d022ecf514efacb67b2f0192
Opcode Fuzzy Hash: 61ac5e61a6c15b2e77e0475ab8e2b14485ec07057437fd3453d6f4601f16f79a
Instruction Fuzzy Hash: 85928D71604742ABE721DF28C880F6BBBE8BB84754F14492DFB98D7290D774E944CB92

Function 019A8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

double initialized or corrupted critical section, xrefs: 019E5508
8, xrefs: 019E52E3
Thread identifier, xrefs: 019E553A
Critical section debug info address, xrefs: 019E541F, 019E552E
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019E540A, 019E5496, 019E5519
Thread is in a state in which it cannot own a critical section, xrefs: 019E5543
Critical section address, xrefs: 019E5425, 019E54BC, 019E5534
undeleted critical section in freed memory, xrefs: 019E542B
Critical section address., xrefs: 019E5502
Invalid debug info address of this critical section, xrefs: 019E54B6
corrupted critical section, xrefs: 019E54C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019E54CE
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019E54E2
Address of the debug info found in the active list., xrefs: 019E54AE, 019E54FA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: d376ba1c8025f11ec7fc7aeca0ebf09eb750558114b092d33afe0a6fa04bebcc
Instruction ID: a7813df4330ffaa308eff642024c6bb324478e83a8246fbbbf39511775addf46
Opcode Fuzzy Hash: d376ba1c8025f11ec7fc7aeca0ebf09eb750558114b092d33afe0a6fa04bebcc
Instruction Fuzzy Hash: E8819E74A00348EFEB61CF9AC845FAEBBF9BB48B09F114159E90CB7251D371A945CB60

Function 019A29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019E24C0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019E2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019E25EB
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019E2498
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019E2412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019E2409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019E22E4
RtlpResolveAssemblyStorageMapEntry, xrefs: 019E261F
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019E2506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019E2624
@, xrefs: 019E259B

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: c1acf9448302447629b6fadff231c71727f229410e6f2739d04dc96068e7c982
Instruction ID: 4360268797180b768106d2decb83dba0e6aee86cd25713ea3fb76e203f4e2fd5
Opcode Fuzzy Hash: c1acf9448302447629b6fadff231c71727f229410e6f2739d04dc96068e7c982
Instruction Fuzzy Hash: 5B0251B1D002299BDB31DB54CD84BDAB7BCAB54704F4045DAA60DA7241EB30AF84CF99

Function 01A18B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 01A18B80
services.exe, xrefs: 01A18B96
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01A18BD0
lsass.exe, xrefs: 01A18BA1
smss.exe, xrefs: 01A18B8B
svchost.exe, xrefs: 01A18B68
DefaultBrowser_NOPUBLISHERID, xrefs: 01A18D00
heapType, xrefs: 01A18BCB
runtimebroker.exe, xrefs: 01A18B73
SegmentHeap, xrefs: 01A18BE9

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: d8d38b0e90d7534f5eafc31a1d7aa5358241efba38cdf2df54f104fc2849eeaa
Instruction ID: 0ae32f6ff5e1d0ce1219788a1628a7cce79e5789c1370e43c3e2e2a53a5c3c5d
Opcode Fuzzy Hash: d8d38b0e90d7534f5eafc31a1d7aa5358241efba38cdf2df54f104fc2849eeaa
Instruction Fuzzy Hash: 2B51D0B16043159FD729CF588984BABBBE8FFD4240F544A2DE999C3244E778D608CBD2

Function 01A20274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A20399, 01A204A8, 01A205D0, 01A20675, 01A206CC
About to reallocate block at %p to %Ix bytes, xrefs: 01A203BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A206EA
RtlReAllocateHeap, xrefs: 01A202BF, 01A20362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A204D3
Just reallocated block at %p to %Ix bytes, xrefs: 01A205F1
HEAP: , xrefs: 01A203A6, 01A204B5, 01A205DD, 01A20682, 01A206D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A2069F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 87807586e93b87ecd25b74b5fb753e31654f1d25e617f2123e35cadbe8e97523
Instruction ID: 058906fd4819dc8edac8fad8fd4d219997026a11cb93ea052bdcb5093517de5d
Opcode Fuzzy Hash: 87807586e93b87ecd25b74b5fb753e31654f1d25e617f2123e35cadbe8e97523
Instruction Fuzzy Hash: 00D1FF35600696DFDB22DFACC540AADBBF1FF8A714F088059F44A9B662D735D981CB20

Function 019F89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019F8A67
VerifierDebug, xrefs: 019F8CA5
VerifierFlags, xrefs: 019F8C50
HandleTraces, xrefs: 019F8C8F
AVRF: -*- final list of providers -*- , xrefs: 019F8B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019F8A3D
VerifierDlls, xrefs: 019F8CBD

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 7170ec2ba440fcb8cdbf05b9e6f33e92092d07b2aa0c047d6fe0250a5a7d559f
Instruction ID: c25a32413316f2f577ff59ed353c6cf878a67f3cb48717890bae1f750f92ba82
Opcode Fuzzy Hash: 7170ec2ba440fcb8cdbf05b9e6f33e92092d07b2aa0c047d6fe0250a5a7d559f
Instruction Fuzzy Hash: BC911272A41306BFD762EF288880F1A7BA8AFA4754F04081CFB4D6B290D730EC05C791

Function 0197EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 0197EB6C
, xrefs: 0197F299
{, xrefs: 019D4643
R, xrefs: 0197EB62
T, xrefs: 0197EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0197EB58

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a9fe6a3cbee595b09baecbab963afb6b10d19b5131e04da0f266485fc3072127
Instruction ID: acdab613dfb821815a808bceed0ec8566500b07628c7bc23097c9206a985d750
Opcode Fuzzy Hash: a9fe6a3cbee595b09baecbab963afb6b10d19b5131e04da0f266485fc3072127
Instruction Fuzzy Hash: D7A24874A0562A8FDB64CF18CD88BA9BBB5BF85705F1486E9D91DA7650DB309EC0CF00

Function 019A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 019E4258
minkernel\ntdll\ldrinit.c, xrefs: 019E40E9, 019E414B, 019E420F, 019E4269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019E41FE
Process initialization failed with status 0x%08lx, xrefs: 019E413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019E40D8
_LdrpInitialize, xrefs: 019E40DF, 019E4141, 019E4205, 019E425F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 62cc76967fcf2a76ef05da6f3b426d8b1f5f0dd65d608868664f9d09581af72d
Instruction ID: d800d1e10013fb5e4c21e791ddbda2cedb8e6683efb09f0fb2c346878a3afc4f
Opcode Fuzzy Hash: 62cc76967fcf2a76ef05da6f3b426d8b1f5f0dd65d608868664f9d09581af72d
Instruction Fuzzy Hash: B09126B0B00315DBEB26DF58D848BAA7BE5FF91B65F48002CE90CAB291D7749806C7D1

Function 0196645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019C9A11, 019C9A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019C99ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 019C9A01
apphelp.dll, xrefs: 01966496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019C9A2A
LdrpInitShimEngine, xrefs: 019C99F4, 019C9A07, 019C9A30

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: cc4488d9f93a832b2eb00f4db50f3a8c7c09da77a39ca01e5d50b3d6e3da723c
Instruction ID: 45d59f31da694db7d32b304dff92dd97d5e136a204b00f6303ded3812230a909
Opcode Fuzzy Hash: cc4488d9f93a832b2eb00f4db50f3a8c7c09da77a39ca01e5d50b3d6e3da723c
Instruction Fuzzy Hash: A4518E712083059FD725DB28C851FAB77E8EBC4B48F00091DF99D9B1A1D630E905CBA3

Function 019AC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019AC6C4
minkernel\ntdll\ldrinit.c, xrefs: 019AC6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 019E81E5
minkernel\ntdll\ldrredirect.c, xrefs: 019E8181, 019E81F5
LdrpInitializeImportRedirection, xrefs: 019E8177, 019E81EB
Loading import redirection DLL: '%wZ', xrefs: 019E8170

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 7697bd5ead5d926395173004b21647c2ca0cdfc9de9192ec350551f737028052
Instruction ID: 0d088cc672dd943aa225aca2ba0cd3ea1b53f3f38e434dc8f47779279ff8df33
Opcode Fuzzy Hash: 7697bd5ead5d926395173004b21647c2ca0cdfc9de9192ec350551f737028052
Instruction Fuzzy Hash: D43100B1644706AFD325EF68D94AE2AB7D4FFD0B50F04051CF94CAB291E620EC09C7A2

Function 019A2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019E2178
SXS: %s() passed the empty activation context, xrefs: 019E2165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019E219F
RtlGetAssemblyStorageRoot, xrefs: 019E2160, 019E219A, 019E21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019E2180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019E21BF

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 27d3ce327e94cb270511dabedb8f1dca066708c59536f9912176799f1a5dbd4e
Instruction ID: 90d778c783571efc7c963a3c8080b347a1c199803f4ee8fb4e137723f80c421d
Opcode Fuzzy Hash: 27d3ce327e94cb270511dabedb8f1dca066708c59536f9912176799f1a5dbd4e
Instruction Fuzzy Hash: 5431C63AA41215BBE726DB99CC85F6A7BBCEB95A50F454059FB0C77240D270EB00C7E1

Function 019B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 019B2DF0: LdrInitializeThunk.NTDLL ref: 019B2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B0D74

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 9bd8b4a316f1076a6f62167b2ac797d455b95555c64c8eb799bdb81d622708cc
Instruction ID: 13385328a19d8eae8a87154f095668a50834e95546e6f594d3813c74c2244e9d
Opcode Fuzzy Hash: 9bd8b4a316f1076a6f62167b2ac797d455b95555c64c8eb799bdb81d622708cc
Instruction Fuzzy Hash: 75424971900715DFDB21CF68C984BEAB7F9BF44314F1445A9E98DAB242E770AA84CF60

Function 0197A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0197A3F7
8, xrefs: 0197A3E7
LdrResFallbackLangList Exit, xrefs: 0197A3FF
LdrResFallbackLangList Enter, xrefs: 0197A3EF

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c54777d3731d9b2de95749c2067eb96164877e5dfc59f8e93759d3425d6589e7
Instruction ID: 2e5ae22c950e37ea6d9ba06ae2db595c133c95d5894782dbb9d2ec2be5af4b81
Opcode Fuzzy Hash: c54777d3731d9b2de95749c2067eb96164877e5dfc59f8e93759d3425d6589e7
Instruction Fuzzy Hash: B2C1AD75608382CFD711CF68C144B6EB7E8FF84B04F08896AF9998B291E735DA45CB52

Function 019A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019A8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019A855E
minkernel\ntdll\ldrinit.c, xrefs: 019A8421
@, xrefs: 019A8591

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 03d9d10ff3d3f61c745605790f969b4bde3386781570c910b3db47a8b212d923
Instruction ID: d90eb0210f0f8ac95ded9b06faf11a7e3c22b53898055498d155d2753889908d
Opcode Fuzzy Hash: 03d9d10ff3d3f61c745605790f969b4bde3386781570c910b3db47a8b212d923
Instruction Fuzzy Hash: 7B917171508345AFE722EF65CD84EABBAECFF84645F40092DFA8C92151D730D944CB52

Function 019A273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019E21D9, 019E22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019E22B6
SXS: %s() passed the empty activation context, xrefs: 019E21DE
.Local, xrefs: 019A28D8

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: eeb11bf3d66b6745be5e2fd8531ff5d70fead26f6b5708b3e9572767b6354a4e
Instruction ID: 5547090ffadc2d81307703d1e7fbc4e7a6f755c21d99cf352c3e58b1f0faf741
Opcode Fuzzy Hash: eeb11bf3d66b6745be5e2fd8531ff5d70fead26f6b5708b3e9572767b6354a4e
Instruction Fuzzy Hash: BEA1BE319002299BDB25CF68CC88BA9B7B8BF98714F6541E9D90CAB351D7309E84CFD0

Function 019A4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 019E3437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 019E342A
RtlDeactivateActivationContext, xrefs: 019E3425, 019E3432, 019E3451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 019E3456

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: ff29f0c062539bdd0ccb77140a97fa2c7e23a19626ae1ebfb76d9d9e24c4c4c8
Instruction ID: 74276a33e80ccebeac55e10844f25bb3f01e5fcd6732cb28f16445a3636ef145
Opcode Fuzzy Hash: ff29f0c062539bdd0ccb77140a97fa2c7e23a19626ae1ebfb76d9d9e24c4c4c8
Instruction Fuzzy Hash: 12612E32600A029BD723CF1DC885F2AB7E9BF80B12F598529E85D9B241E770E904CBD1

Function 019764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019D10AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019D0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019D1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019D106B

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 71ca95352b9e63abd1238ffe18e0d20b2bcd327c5bc565ac99577b419190e45e
Instruction ID: 5b436718a4cca7bfaa0d4e9a7adfcc7b4ae8aa47a97be79581b2da9d808afbea
Opcode Fuzzy Hash: 71ca95352b9e63abd1238ffe18e0d20b2bcd327c5bc565ac99577b419190e45e
Instruction Fuzzy Hash: 5371ADB1904705AFEB21EF18C884F9B7FA8AF95764F400869F94C8B246D734D588DB92

Function 0199245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019DA9A2
LdrpDynamicShimModule, xrefs: 019DA998
apphelp.dll, xrefs: 01992462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019DA992

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 58d146396bcfdac1e426ddc834730a824be43b7c387b5e50ffb873082a4d45cb
Instruction ID: 33962068316c7d17512c88473021625cdde455d80f762a10d35166a3e0bf3157
Opcode Fuzzy Hash: 58d146396bcfdac1e426ddc834730a824be43b7c387b5e50ffb873082a4d45cb
Instruction Fuzzy Hash: C03148B9A00202FBDB32DF6DC881EAA77B9FF84B00F154059E90D67265C7B09952C780

Function 019829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01983255
HEAP: , xrefs: 01983264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0198327D

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 3a3a01a553c56ac2a177752b48a392d98c1e482744209db32a83c379817cc4e9
Instruction ID: 611987ca8d914694a35090f0a34e0bf41ec855a8061a790ccdd6e486beb1bb2b
Opcode Fuzzy Hash: 3a3a01a553c56ac2a177752b48a392d98c1e482744209db32a83c379817cc4e9
Instruction Fuzzy Hash: E392DD71A042499FDB25DF68C440BAEBBF5FF48704F18849AE849AB392D735EA41CF50

Function 01980770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019D50AE
(UCRBlock->Size >= *Size), xrefs: 019D50CA
HEAP: , xrefs: 019D50BD

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 45a2bfe30c98458c37c34f1c46e6e5e305a421b65c618272a44e0709fa023082
Instruction ID: 6b097c4c6e7d563d874822352f09e235ca778decea8d093485136618bbdb6b7b
Opcode Fuzzy Hash: 45a2bfe30c98458c37c34f1c46e6e5e305a421b65c618272a44e0709fa023082
Instruction Fuzzy Hash: 3DF1CC30A00606DFEB25DF68C984F6ABBB9FF44304F188568F51A9B391D734E985CB91

Function 01996962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01996C24
, xrefs: 019DCA51

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: e06bbc51a84e1e288f5571743041577dcf8e767c2fcf5a7feee6594fc8d663cd
Instruction ID: b525b514833460505cc1cc14110281df0c349a0cb0590e0374b8523e5edf4378
Opcode Fuzzy Hash: e06bbc51a84e1e288f5571743041577dcf8e767c2fcf5a7feee6594fc8d663cd
Instruction Fuzzy Hash: C9C280716183419FDB29CF69C881BABBBE9AFC8754F04892DE98DC7241DB34D844CB52

Function 0196A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 019CC1E4
UseFilter, xrefs: 0196A1C1
FilterFullPath, xrefs: 019CC2E6

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: f04e69017b8b4f3d2133bd4f706c079e1e0b176790b1a1cfee6d456b3fe3cee8
Instruction ID: 9dfb2c9f9326f54b058330649d4d5995317bf8893d913f32f5837673b74813e7
Opcode Fuzzy Hash: f04e69017b8b4f3d2133bd4f706c079e1e0b176790b1a1cfee6d456b3fe3cee8
Instruction Fuzzy Hash: C3A14B719116299BDB31DB68CC88BEABBB8EF44B10F1041E9E90DA7250D735AE84CF51

Function 01990BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 019DA10F
minkernel\ntdll\ldrinit.c, xrefs: 019DA121
LdrpCheckModule, xrefs: 019DA117

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 03e7471cafe661730955ee57b8df1f6c3afd02d7d0b0cfb51e306b10e6d488d0
Instruction ID: ccfd4aa269a543fba2f1f48296098bb8192040b08d2ccdb14887737a32b61320
Opcode Fuzzy Hash: 03e7471cafe661730955ee57b8df1f6c3afd02d7d0b0cfb51e306b10e6d488d0
Instruction Fuzzy Hash: 5D71A175E00205DFDF25DF6DC981AAEB7F8FF88604F18842DE51AA7251E734A942CB50

Function 01980A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019D5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 019D534D
HEAP: , xrefs: 019D5342

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 1e045a011e93609a7a5d4b5dcab66d83e791dca4c10328c99edfb8f68d906935
Instruction ID: fd2f177b95147976101acb446d17e6423bd68aec3696c89c894841204364e658
Opcode Fuzzy Hash: 1e045a011e93609a7a5d4b5dcab66d83e791dca4c10328c99edfb8f68d906935
Instruction Fuzzy Hash: 1F61BC31600302DFEB29DF28C584B6AFBE5FF44304F19856AE45D8B296D770E885CB91

Function 019AC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 019E82D7
minkernel\ntdll\ldrinit.c, xrefs: 019E82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 019E82DE

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 68a6406d47a5f52dc5b4d4071251fdcd1efd61a3ca02305d4b036c8371a5d98d
Instruction ID: d2a72b31387b1c29ca288fbcf7c4775fd06bcae9ea005d248f74303094df348d
Opcode Fuzzy Hash: 68a6406d47a5f52dc5b4d4071251fdcd1efd61a3ca02305d4b036c8371a5d98d
Instruction Fuzzy Hash: 6341F0B9544301ABCB21EB68D944B5B7BE8BF84A50F00482AF95DE7261EB70D805CBA1

Function 01A2C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 01A2C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A2C1C5
PreferredUILanguages, xrefs: 01A2C212

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 1234aae01d7ba1271662e449d9234c269231abedf143f57a4d94c935784f8668
Instruction ID: cf54afb2977f3e35c50b727d9fa7208c499722842cd3c2704f2c0f82c8900129
Opcode Fuzzy Hash: 1234aae01d7ba1271662e449d9234c269231abedf143f57a4d94c935784f8668
Instruction Fuzzy Hash: 8D416271E00219EBEF11EBDCC881FEEBBBDAB55710F14406AEA09B7244DB749A448B50

Function 01A04144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01A04160
@, xrefs: 01A04225
LdrpResValidateFilePath Exit, xrefs: 01A04172

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 3ba6158d48987ecd41c69d7d0ee7d2ccf6d85070afb24c20e3225da31eb16f1e
Instruction ID: 210f574a50ed42a2324249fd816473ef0d28b98e51e60f277cf400ee76d4277b
Opcode Fuzzy Hash: 3ba6158d48987ecd41c69d7d0ee7d2ccf6d85070afb24c20e3225da31eb16f1e
Instruction Fuzzy Hash: 3C412432A047498BEB27DBE9E840BADBBB4FF99740F18045ADA05EB7D1D7349901CB11

Function 019F4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019F4888
minkernel\ntdll\ldrredirect.c, xrefs: 019F4899
LdrpCheckRedirection, xrefs: 019F488F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: fbebadfa3e8e71cde4c8b1224297eab98e11ff0f40974b41af7ee993c9e516fd
Instruction ID: 967dd8914ace841bb444970f4d176d1723bcbc2235193c152219c1ad3fcb4267
Opcode Fuzzy Hash: fbebadfa3e8e71cde4c8b1224297eab98e11ff0f40974b41af7ee993c9e516fd
Instruction Fuzzy Hash: 4941AE32A04651AFCB21CE69D840E27BBE8AF89A51F15066DEE4C97325D730E800CBD2

Function 01980BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019D5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019D5449
HEAP: , xrefs: 019D543E

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: a4f3fe7cbc1926f9df0ddb847de6dd23f5070771b5ff8ecf3eceb5a6bbe6fae7
Instruction ID: dfa72218dee9afa78eb7fe53ab097f79cae59d5e539e25f1f1beebaed97fc3f8
Opcode Fuzzy Hash: a4f3fe7cbc1926f9df0ddb847de6dd23f5070771b5ff8ecf3eceb5a6bbe6fae7
Instruction Fuzzy Hash: EB11B4323551429FFB69DA18C441F76B7A9EF80B2AF198529F40ECB251D730D845C751

Function 019F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019F2104
Process initialization failed with status 0x%08lx, xrefs: 019F20F3
LdrpInitializationFailure, xrefs: 019F20FA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: d3019f413b3a05bd5e774ec1854f512384bd24c1321b749d5b2a3e1fd0a03cb0
Instruction ID: 03f44aed499acd4c22e03e804a9711e0e1e6891c726de3154cd659a461b2d267
Opcode Fuzzy Hash: d3019f413b3a05bd5e774ec1854f512384bd24c1321b749d5b2a3e1fd0a03cb0
Instruction Fuzzy Hash: 28F0AFB9B40308BBEB24E74CDC56FA937ACFB80A54F10006DFB0877281D2A0A901C795

Function 019803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019D4D8A

Strings

#%u, xrefs: 019D4D82

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: c3c6f3d235ba11f605e606c34d6e6b969cd2871ddcf6ca5da4a95950314c2a22
Instruction ID: f18313516b3f6c576cf4611c505a94c47ed09ffea1c4b826e897b5ade3e110cb
Opcode Fuzzy Hash: c3c6f3d235ba11f605e606c34d6e6b969cd2871ddcf6ca5da4a95950314c2a22
Instruction Fuzzy Hash: 83714B71A0114A9FDB01DFA8C994FAEB7F8BF58704F154065E909E7251EB34EE05CB60

Function 0197A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0197AA13
LdrResSearchResource Exit, xrefs: 0197AA25

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 270d7a6a1139dfcfe98ba88dd0b716cffc0adeba806a1ef7b00baf74d571b88a
Instruction ID: c9dd407ad181b7d7de3e1b653a3d12b314eb3fc78d5a0582eec96f7fa56ee78a
Opcode Fuzzy Hash: 270d7a6a1139dfcfe98ba88dd0b716cffc0adeba806a1ef7b00baf74d571b88a
Instruction Fuzzy Hash: 7EE19171E04209AFEF26DF9DC980BAEBBBABF58711F184825E909E7241D734D940CB51

Function 01A3A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A3A551
`, xrefs: 01A3A44B

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bc87bd3531ee98f3e8f31ac9278dee78fca634e58b7d8ac876f6d8b292dc1918
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: E6C1DF312043529BEB25CF28C941B6BBBE5AFD4318F084A2DF6DACB291D779D505CB81

Function 019EE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 019EE751
Legacy, xrefs: 019EE75A

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 45ac5d8f17b004eb9b9c51271dd2e426ec196ee26ab6d0454f806b74eeaea4dd
Instruction ID: 20dd5042ab01dda4e6e803091452c92ee08eb7a0588e656ee2ba4adae173ba6d
Opcode Fuzzy Hash: 45ac5d8f17b004eb9b9c51271dd2e426ec196ee26ab6d0454f806b74eeaea4dd
Instruction Fuzzy Hash: 46615B71E402099FDB16DFA8C984BAEBBF9FB48700F14446DE64DEB291D731A900CB51

Function 01A143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01A14437
MUI, xrefs: 01A14525

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 37eff93a02f90d13766b5426509098a3afc1b4086dacb7ec886606a25c9d7897
Instruction ID: 5570fcaef6059eb7197c39036a1ea1eb0456c7e407c88df1b6804eaac01e698b
Opcode Fuzzy Hash: 37eff93a02f90d13766b5426509098a3afc1b4086dacb7ec886606a25c9d7897
Instruction Fuzzy Hash: 51510971E0021DAFEF11DFA9CD80EEEBBB9EB48754F100529E615A7294D7309D05CB60

Function 019704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0197063D
kLsE, xrefs: 01970540

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: f9f367029756d774b357c628f685a1245aea82d55ec8d0e356e0dc73463f0f3e
Instruction ID: 5081c519bd0df4e1c9e1f7862d7ea0119731a89bcd8f5c62fc8fb9d9b5deab2c
Opcode Fuzzy Hash: f9f367029756d774b357c628f685a1245aea82d55ec8d0e356e0dc73463f0f3e
Instruction Fuzzy Hash: C151CE715007428FD724DF69C5806A7BBE8AF86305F18493EFA9E87241E770E545CB92

Function 0197A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0197A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0197A2FB

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 6cf929c4a22a6e833a4c1c486600d358e325e5f5758d3649e9198390c2286cad
Instruction ID: c3330b06e4c2201ffdaede6822a1733d7df5617163f1434da29070c40906e946
Opcode Fuzzy Hash: 6cf929c4a22a6e833a4c1c486600d358e325e5f5758d3649e9198390c2286cad
Instruction Fuzzy Hash: 9E41D131A04649DFEB15DF59C840F6EBBB8FF85701F1884A9E918DB291E3B9DA00CB50

Function 019AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 019AA5E9
Cleanup Group, xrefs: 019AA5E4

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 0721d9f0d90fea23e5d475a59cb6e89e45911e17a3b25a3c58c55171ad4be0dc
Instruction ID: d3940c9fd3f5ce4d2293e08a9c1937a37baa251a425959b18169fbd30b91cd09
Opcode Fuzzy Hash: 0721d9f0d90fea23e5d475a59cb6e89e45911e17a3b25a3c58c55171ad4be0dc
Instruction Fuzzy Hash: 5701D1B6240704AFE311DF14CE45F1677E8E794B15F018939A64CC71A0E374E808CB86

Function 0197C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0197C8C3, 0197CA40

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: e6af9a23739f4af6f5efd3925e9f59b629b89d5a35c8ff3a2e755bd5c19d36a8
Instruction ID: d5e49604d1e2cfc91a6c05ec47285220cd58221af9a0dbb1683751d575d7feeb
Opcode Fuzzy Hash: e6af9a23739f4af6f5efd3925e9f59b629b89d5a35c8ff3a2e755bd5c19d36a8
Instruction Fuzzy Hash: 65825B75E002199FEB25CFA9C880BEDBBB5BF48710F148169E95DAB391D730AD81CB50

Function 019F6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019F65C1

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 55e629fae65846bb992a76a0b8764aebd1aea61085973dd3dd5222385e7ddf54
Instruction ID: 938ce05b29c4871256aa5be8295eda651df34713cc816a1d66f4cac064bc17bf
Opcode Fuzzy Hash: 55e629fae65846bb992a76a0b8764aebd1aea61085973dd3dd5222385e7ddf54
Instruction Fuzzy Hash: 35917271A00219BFEB21DF99CD85FAE7BB8EF58B50F100059F704BB191D675A900CBA0

Function 01A1E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01A1E1FA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bb5bf2d5362b936487f61c17bc3156cae9c10d63ca18f29083c98bafd57b82b9
Instruction ID: c55994676eadc5b234f090518a7dcfc1d73f89b02bacc73c20f7aa70fe14ba13
Opcode Fuzzy Hash: bb5bf2d5362b936487f61c17bc3156cae9c10d63ca18f29083c98bafd57b82b9
Instruction Fuzzy Hash: 7791AA72A00649BEDF27ABA4DC94FEFBBB9EF95740F040029F905A7254DB749901CB90

Function 019AA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019E67C9

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 3d6c2e114dd37512466d391367c0ee5738c47e9f656a501dcdfc30852c07ae09
Instruction ID: d1016ebf0f8016ac1bc07ee780dd9624050d4cca48760dfe54d1002d5478c533
Opcode Fuzzy Hash: 3d6c2e114dd37512466d391367c0ee5738c47e9f656a501dcdfc30852c07ae09
Instruction Fuzzy Hash: DD718EB5E0030A8FDF2ACF9DC594AADBBF5BFA8701F14812EE509A7241E7319941CB50

Function 01A14978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01A14A7F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 28412db947785940e90ae8a5deec33b6954fe174ef4024238e013e30b0ac501e
Instruction ID: 3bc7e2fc29cf66c626a56e22c38795f898b4a5cdc5bd8b2c3803b792041b2f6f
Opcode Fuzzy Hash: 28412db947785940e90ae8a5deec33b6954fe174ef4024238e013e30b0ac501e
Instruction Fuzzy Hash: BF519472D0022A9BDF10DF9DD840AAEBBB5BF58B50F0A4129EA15BB254D7349D01CFE4

Function 0198E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0198E6A4

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 7a3facccd9f5695f6288639d73417f15d625c6f5a4b9f515a2d358d8e1bfbebe
Instruction ID: 9ff047177b992a97a40bd58f2b2ddab6032fbc95b983d55ecd9af41859929bdb
Opcode Fuzzy Hash: 7a3facccd9f5695f6288639d73417f15d625c6f5a4b9f515a2d358d8e1bfbebe
Instruction Fuzzy Hash: 80418072508312ABD711FA79C950F6BB7ECAFC8B14F04092DF99DE7180E674D90487A6

Function 019EC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019EC77F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a2198a7e9330d0d12b49b327ab97fac26d89e07f7485260a06396b40f16ea63b
Instruction ID: 2ef6156eed7cecad559c339e04927cab65ff2ea226e3fac788bf5d07e2fe82a0
Opcode Fuzzy Hash: a2198a7e9330d0d12b49b327ab97fac26d89e07f7485260a06396b40f16ea63b
Instruction Fuzzy Hash: E24133B1D0022DABDB21DB54CD84FDEB7BCAB45714F0045A5EB4CAB140DB709E898FA5

Function 01A06B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01A06B91

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e5661b6f742b7a5155b257c810409d8a65b98f0c0a25b6d0ace64fee6e650849
Instruction ID: c400d9576cab5d7ee9ea829790bd59675aae566de0b407dc1fcab2ace904dc75
Opcode Fuzzy Hash: e5661b6f742b7a5155b257c810409d8a65b98f0c0a25b6d0ace64fee6e650849
Instruction Fuzzy Hash: 0E311431E007199AEB23DB69D850BFE7BB8DF45708F144028E949AB2C2CB75E855CB90

Function 019F892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 019F895E

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 7e7a955092dc5af698e002d3ef9d274e8b0b3cfb6eb4363833b9f44f37db0d12
Instruction ID: 03d0dabb18b7f1025d7e466c5059d24b098e5eee32b230bd8a26b5a0772903c4
Opcode Fuzzy Hash: 7e7a955092dc5af698e002d3ef9d274e8b0b3cfb6eb4363833b9f44f37db0d12
Instruction Fuzzy Hash: 6B01F236700201BFE760AA69CC84E6A7B6DEFD26A8F04142CF74916161CB30A8C1C792

Function 01A12000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0e75dbe5c7bba77a9a570c8c3cd6ba6c324175ab82255f32bfa9bbb4983733
Instruction ID: c0a21554f748fb29fb3c76b14db36f8595297e5c836e465ffd2d36f4eb02f0e7
Opcode Fuzzy Hash: ea0e75dbe5c7bba77a9a570c8c3cd6ba6c324175ab82255f32bfa9bbb4983733
Instruction Fuzzy Hash: 3742C2356083419BE726CF68C890B6FBBE5BFC8340F28092EFA8697254D771D945CB52

Function 01A08158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f78ccf9cc382152a583ca16c59b419db20d8a143cdefb36cee77dea260f3e25
Instruction ID: b26e19173f8d196aa17a16185f4f53818fc9ae2b22fa0d0f63bce7bb189b9096
Opcode Fuzzy Hash: 2f78ccf9cc382152a583ca16c59b419db20d8a143cdefb36cee77dea260f3e25
Instruction Fuzzy Hash: 1A426075E002198FEB25CF69C841BADBBF5BF88300F158099E94DEB282D7389985CF54

Function 01982840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc837ccd098f342b72db05030320852290e41db25c0bd130c29609b9e12104d
Instruction ID: 8bacf04bccf57ceef86bbde5ed5762519a9d19c5801afc6be3e8b0d05e1e50eb
Opcode Fuzzy Hash: 6dc837ccd098f342b72db05030320852290e41db25c0bd130c29609b9e12104d
Instruction Fuzzy Hash: 7A32FF70A007598FEB25CF69C944BBEBBF6BF84704F24851DE48E9B285D735A842CB50

Function 01A1A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebdf0025aca7c74fa7b3a9b764f1de524ca1aadb41e4b649899e529f20ccc72
Instruction ID: 90627bf3a67d40b6004bbfe769d2f8cff963063f33237ffed843f532fe216857
Opcode Fuzzy Hash: 3ebdf0025aca7c74fa7b3a9b764f1de524ca1aadb41e4b649899e529f20ccc72
Instruction Fuzzy Hash: E422C1742066E18BEB25CF2DC054372BBF1AF44340F08885AE996CF29ED735E552DB60

Function 01976A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0b8bbb006ef73e7608a072c86626f61399240b6cfe531bdf09f73c6c3972a4
Instruction ID: 993f8129e2aadd34bb4771b3b44c61fdce870a79734572f695d98cadd004df3c
Opcode Fuzzy Hash: 4f0b8bbb006ef73e7608a072c86626f61399240b6cfe531bdf09f73c6c3972a4
Instruction Fuzzy Hash: D032B275A04605CFEB25CF68C580BAEBBF5FF88310F148969E959AB351DB34E841CB90

Function 01994A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: bbeb8e029ca07b8cdf740778f894068f0e247fd6b755067bb223613588c62f44
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: A0F16371E0021A9FDF16CF9DC580BAEBBF9AF44715F058529E909AB354E734E842CB60

Function 01A0892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a99c0fd499f98a1ac5dfd2b80fe81748dc0affbe515551a0da73ce8317c9edb
Instruction ID: 846ca1a1e4853e3aae7ec7335b9a437a7b96fc9e6800f7d17f59672fb4fbfa8c
Opcode Fuzzy Hash: 3a99c0fd499f98a1ac5dfd2b80fe81748dc0affbe515551a0da73ce8317c9edb
Instruction Fuzzy Hash: E0D10271E00A0A9BDF06CF58D841BFEBBF1AF88304F198169D955E7281E739E905CB64

Function 019765D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630fb45423b7d8e34d78f6a7b4f31d0d73705721043a897e42788d31eccacae9
Instruction ID: f104acfd7d073546b02d9e344f2eb96ad21fd796042ca7dba8448b0ddab7581b
Opcode Fuzzy Hash: 630fb45423b7d8e34d78f6a7b4f31d0d73705721043a897e42788d31eccacae9
Instruction Fuzzy Hash: 54E19D71608742CFD715DF28C090A6ABBF4FF89314F058A6DE9998B351EB31E905CB92

Function 01968397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6d555df5a0d4fc30b1a389d7959ea9157c868c788cf4e74407b9014eaf2dce
Instruction ID: a430c94e09dc277b1392fc30f4f847062b437302dc6e22b5490c4014bc46711a
Opcode Fuzzy Hash: dc6d555df5a0d4fc30b1a389d7959ea9157c868c788cf4e74407b9014eaf2dce
Instruction Fuzzy Hash: 22D1F371A0030A9BDF14DF28C881EBA77ADBF94754F04462DE95EDB280E734DA50CB61

Function 019F8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 76290cf325e0429dc7e973d16b0e7a0c84a57049222dac3f9f956ab4a3584108
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B2B17C75A00609BFDF64DB99C940AABBBB9FF84344F14446DAB0AA7790DB34E905CB10

Function 01980535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 7de1fd655a5f4f81bf8c5df4e18d5c22d3dd9355cbdde683a9b0f1a35ef6bd2d
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: E7B11831600646AFDB21EB68C850FBEBBFAAF84300F194595E55ED7291D730EA45CBA0

Function 019783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3f90f3c49c740d7a6fdd03151b959844613f8e8c409365744b6baa6aeb29c9
Instruction ID: d4b074dd013d7e6a4b4481276d1878732e3603339722548aeab2d3f1adcda18a
Opcode Fuzzy Hash: bf3f90f3c49c740d7a6fdd03151b959844613f8e8c409365744b6baa6aeb29c9
Instruction Fuzzy Hash: 3DC14875608341CFD764CF19C484BABB7E9BF88704F44496DE98987291E774E908CFA2

Function 0196C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde581332bf69f8c52c8cccb2e2a54608eed1e30ab7307f95a90ed3f4ea7f876
Instruction ID: bcbb22e510b737c5bdf138a26b64b12006de3e2b8083a751ed6c5eb220175dac
Opcode Fuzzy Hash: fde581332bf69f8c52c8cccb2e2a54608eed1e30ab7307f95a90ed3f4ea7f876
Instruction Fuzzy Hash: 65B17470A0426A8BDB25DF58CC90BA9B3B9EF84740F0485E9E54EE7241EB30DD85CB25

Function 0199E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e01673b490ce08fca3e0c1f8dbd3e153edc995bb8aee22d6b1448e8752a85c
Instruction ID: 1a06d2b1a7e0e21940830b142ea84f127683cf1ca4c481622f4fdaf735ed810d
Opcode Fuzzy Hash: 10e01673b490ce08fca3e0c1f8dbd3e153edc995bb8aee22d6b1448e8752a85c
Instruction Fuzzy Hash: F0A12631E00259AFEF22DBACC845FAEBBB8BB40714F054525EA09AB291D7749D41CBD1

Function 019B0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fb400ed937d279e31f4bfe1a758ea73f26c8e8ccf6b59b07e84b5380413c85
Instruction ID: 24e1af189971db85a6b51f4e4ef23ae86f2ed662475439db89120e66ce9682b1
Opcode Fuzzy Hash: 79fb400ed937d279e31f4bfe1a758ea73f26c8e8ccf6b59b07e84b5380413c85
Instruction Fuzzy Hash: D2A1C170B016169BDB25CF69C6D4BEBB7F9FF44715F08402AEA0997281EB38E815CB50

Function 01A44500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e7efa3022fc68a755ebafc8d1e9c0844eeb5afc72620acf890b16dd8f1cdd
Instruction ID: 85d9e184a7c8544c0af9102e33d30f2f34918b29005395de2b640888d395956a
Opcode Fuzzy Hash: e10e7efa3022fc68a755ebafc8d1e9c0844eeb5afc72620acf890b16dd8f1cdd
Instruction Fuzzy Hash: EBA1DF72A04612EFD712DF28C980B5ABBE9FF88704F054528F5899B661D774ED01CB91

Function 01A42B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 1877302adbad291418e6087d498ce5e838ce16d10d91dd61d1afd4a575df2246
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: DBB14A71E0061ADFDF29CFA9D880BADBBB5FF88310F14812AE955A7351D730A945CB90

Function 019F60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35432f56a5567e745eb0a93d785b815a609f4c83a21a00d935578800a4bda78e
Instruction ID: 21456166b46d2c05907cfdd2cb2357e886024a5a22d66046349b07645699c970
Opcode Fuzzy Hash: 35432f56a5567e745eb0a93d785b815a609f4c83a21a00d935578800a4bda78e
Instruction Fuzzy Hash: 58919275E0021ABFDB15CF68D884BAEBBB9EB49710F15415DE718EB241D774D9008BA0

Function 0198E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce8dacac352636521dce6b2be25140a5e55e7287602c4a7a29ae5ee07d141f8
Instruction ID: e2139a7cdc827b9b8c7e6f29e8bc7ebf7c8da4e91bd46fb2c8c8d7220e493ac3
Opcode Fuzzy Hash: 6ce8dacac352636521dce6b2be25140a5e55e7287602c4a7a29ae5ee07d141f8
Instruction Fuzzy Hash: 55913332A006169BEB24FB6CC490B79BBA9FF94B15F048469ED0DDB280E634DD01C7A1

Function 019C6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afbfffc734c1ecf64be01f1ca8999fac1f03fc918e4dfb97f32da7c6cfc79f4
Instruction ID: 30f1dca072bd307830e982cbf1176c7e6af6aecbdd27e63c8d36a70618b280dc
Opcode Fuzzy Hash: 9afbfffc734c1ecf64be01f1ca8999fac1f03fc918e4dfb97f32da7c6cfc79f4
Instruction Fuzzy Hash: C2819471E006169BDB19CF69C940ABEBBF9FB48B00F04852EE589D7741E334D941CBA5

Function 01A3AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 75363a94a7a651cf34e64dcd9e192f77670ca0ce76d2da7cbb3596fbd483ec07
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: C5818E31A0021A9FDF19CF99C880BAEBBB2BFC4310F188569E956DB345DB34E905CB50

Function 019AE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4433cc0fddf5daa00b6e9d783aefd37fbf1f5d4ffccd402cd266e35958ad6058
Instruction ID: 55872fe0f5f7e96112b53e0dd2d2bd81308fbc378f3fad593f1e5bb172690ded
Opcode Fuzzy Hash: 4433cc0fddf5daa00b6e9d783aefd37fbf1f5d4ffccd402cd266e35958ad6058
Instruction Fuzzy Hash: 88816571A00609EFDB16DFA9C980BEEBBF9FF88354F504429E559A7250DB30AC45CB90

Function 0198C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd13ae228a5a8270bcd2342f61c38a5f6ab88bdf6a6ee7aa39ff10c12d4553d
Instruction ID: 5e94747558dc32ba955a1373cdaae67626258e4055253016fd3c14afd559b1f9
Opcode Fuzzy Hash: dcd13ae228a5a8270bcd2342f61c38a5f6ab88bdf6a6ee7aa39ff10c12d4553d
Instruction Fuzzy Hash: 4671D275D00225DBCB25DF58C890BFEBBB4FF58710F14852AE95AAB391D330A801CBA0

Function 01A247A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e30617ac11b5a9c4b2c548ce7fbc71eeeaec7f991dd2e2b7adb0e951535d21e
Instruction ID: 0c9fc37bef05404f208d0a3d2ca432fef0da0ea2e3514aab5c913300e3058b9d
Opcode Fuzzy Hash: 6e30617ac11b5a9c4b2c548ce7fbc71eeeaec7f991dd2e2b7adb0e951535d21e
Instruction Fuzzy Hash: 5471B1B0E00615EFDB20DF9DDA40A9ABFF8FF98300F14415AE618EB268C7719945CB54

Function 0198260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621023a476fa089797fecf247a3904cb9657f486d2fba7f20660e92a959b3efb
Instruction ID: ecfc0dda8a00419aa7edcab8e1649f34600ba897cfaff6813cdf5454758d3245
Opcode Fuzzy Hash: 621023a476fa089797fecf247a3904cb9657f486d2fba7f20660e92a959b3efb
Instruction Fuzzy Hash: B071C0756042428FD311EF2DC480B2AB7E9FF84314F0485AAE899CB352DB34E946CBA1

Function 019F035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5787c78ddcd0340f99000a0af8da0971f55517b73c87efe317d18b8d51f29a2c
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 97715F71E00619EFDB10DFA9C984EDEBBB9FF88700F144569E609A7251DB34EA01CB90

Function 01A062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45175dd783feb5b08c5070ded048a6e664f0b56c328410bf9ca1a5b45d33e897
Instruction ID: ab6c9dd194465f93c12ad071181a49cc7ff4391ceb2fd83878f62185b0ad87cb
Opcode Fuzzy Hash: 45175dd783feb5b08c5070ded048a6e664f0b56c328410bf9ca1a5b45d33e897
Instruction Fuzzy Hash: BB71F132200701AFEB33DF18D984F56BBB6EF84728F154428E65A8B2E1DB75E954CB50

Function 01978AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b127e3e74ef81352d8887a6597c673a1bbaccc53f22e46685ac166023763fec
Instruction ID: 35e731cd960ea9db835a0133a9d8a7a053bce4e13de23cbe3b31944bdbbc7b47
Opcode Fuzzy Hash: 5b127e3e74ef81352d8887a6597c673a1bbaccc53f22e46685ac166023763fec
Instruction Fuzzy Hash: C081E372A04316CFDB29CF9CC588BADB7B5BF88711F15812DEA08AB291C7749D41CB90

Function 01A48324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6870544f289d9f613ec8a561f2c8bb90cf5605c1464a6f598f3dd48e043c23
Instruction ID: c0aee420015e0aa86d9b1e5ac7ce460e6059f25ecdf85c20f8ccdb7be2f3add1
Opcode Fuzzy Hash: dd6870544f289d9f613ec8a561f2c8bb90cf5605c1464a6f598f3dd48e043c23
Instruction Fuzzy Hash: F3711871E0020AAFDB16DFD4D981FEEBBB8FF44750F104169EA24A7290D774AA05CB90

Function 01A2A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b282673e4e02593d97cbeeeb0db56f3cef602d9a89e48ceccadf4eeb55019e
Instruction ID: 749582c18510b9c2e861c9e129379c95fe7d00549071ce62ba245b4df89a8f1e
Opcode Fuzzy Hash: 92b282673e4e02593d97cbeeeb0db56f3cef602d9a89e48ceccadf4eeb55019e
Instruction Fuzzy Hash: B551EF72504722AFD322DE6CC884E5BBBE8EBC9710F010929FA45DB651D770ED04CBA2

Function 01A18350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6e7a1a98fc46b8f0aaad5a9b40e8f529161252bafa9d909174f8e0f5e5eeb3
Instruction ID: b1227f027bac51fd8f26b9eb324b172d6186064dc80d8055bff96cee873ffae3
Opcode Fuzzy Hash: 0c6e7a1a98fc46b8f0aaad5a9b40e8f529161252bafa9d909174f8e0f5e5eeb3
Instruction Fuzzy Hash: E151B170900705DFD721DF6AC880AABFBF8FF94710F104A1EE296976A5CBB4A545CB90

Function 019AE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15588ec84003e4f2ae19cc1ecbe73812fbede04539de3730654fe28196071def
Instruction ID: 58968b67d092ca37e6b28109ece75a83de9ad39f375d1f957d8d8e6616b696b9
Opcode Fuzzy Hash: 15588ec84003e4f2ae19cc1ecbe73812fbede04539de3730654fe28196071def
Instruction Fuzzy Hash: E1517E71600A05DFCB22EF69C984EAAB3FDFF54B84F800829E54A97260D734ED45CB90

Function 01A14180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22545b6061946a798522cc65fdad9179a61b0fdc83fbf58cbf213ff557498c4e
Instruction ID: 0513b62b5e8b75d49e8d02bfe8a18fa38038a0937edf435d4196083c402ef90b
Opcode Fuzzy Hash: 22545b6061946a798522cc65fdad9179a61b0fdc83fbf58cbf213ff557498c4e
Instruction Fuzzy Hash: 905133B16083029FD754DF2DC880A6BBBE5BFC8718F48492DF599C7254EB30DA058B96

Function 019945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 693c0c49240cc3b965d5dff6a5f04f15e8afc9393994ea4ecbdebc7cd0924e75
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 6051B571D0021EABDF16DF98C540BEEBBB9BF49750F05806AEA09AB250D734DD45CBA0

Function 019FE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 28e4fbe0daf4f1ea9b384eb7aa3a912b0fd0d3a41f699cb985ed0f00638290d1
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: D251963190021EBFEF11DF95C984FAEBB79AF40326F16466DD71A671A0D7309D4487A0

Function 01A38B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0712e63f82b8ac773442b7cdb584ef285541fbaabcd164011c77f2f37e0faaa4
Instruction ID: 61770fc4f4c6b5ed5523c89d5ee3997a3a80a4a58981cc0c1d379468a44eac09
Opcode Fuzzy Hash: 0712e63f82b8ac773442b7cdb584ef285541fbaabcd164011c77f2f37e0faaa4
Instruction Fuzzy Hash: 9941D2707056129BDA299F2DC994B7FBBAAEFD0620F188319F955C7281DB3CD901C690

Function 019FCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf15c79bc2eeade711edd6c21d36a53eefb8b0d45e3afee35578f4c35cf123f
Instruction ID: 686c6774dfe4ea45429e97941123577467541e26118c7f1b661fbe2660dfb125
Opcode Fuzzy Hash: 6bf15c79bc2eeade711edd6c21d36a53eefb8b0d45e3afee35578f4c35cf123f
Instruction Fuzzy Hash: 9B518C75D0021AEFCB20DFA9C980E9EBBB9FF88355B118919D61EA7744D730AD01CB90

Function 019AA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9729c14f499ac1076706e650372fbceb5bd52919737d8ff8b9a57752e27fc139
Instruction ID: 1b251ca60195cac4926b1400e2f4689b70b0706b70c24475ef960d21718d3ddd
Opcode Fuzzy Hash: 9729c14f499ac1076706e650372fbceb5bd52919737d8ff8b9a57752e27fc139
Instruction Fuzzy Hash: 9341F5756402129FDF26EF78D880F6E37A9ABA4B08F41042DEA0E9B251D7719805CBA4

Function 01A3A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 743a4f72d7abe9ae5ee54262d1e69f9e48337e0769945ea9a254a21e0d673243
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 1A41C472A047269FD729CF68C980B6AB7A9FFC0210F05462EF996C7641EB30ED05C790

Function 019A01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8b1b23be2535c737fcdc865bce9fb1afc13953d1679d05a2868b5f4a4e936e
Instruction ID: 3d154fe2e43f78f729b1a088a5c1866801b550d0a5e32a6150ef0974a6cfb580
Opcode Fuzzy Hash: 9f8b1b23be2535c737fcdc865bce9fb1afc13953d1679d05a2868b5f4a4e936e
Instruction Fuzzy Hash: 9941DF35E00219DBDB15DF98C440AEEBBB8BF88B14F59812AF819F7240D7359D49CBA4

Function 0199EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5758fe7c8253e063a5772fa61eee34c0af4758c0490bc9594819e33969213168
Instruction ID: ee978a5392595c9b5c15af79539e6a987418f3c3b3750a00a92e82f8831225af
Opcode Fuzzy Hash: 5758fe7c8253e063a5772fa61eee34c0af4758c0490bc9594819e33969213168
Instruction Fuzzy Hash: 1C4190716043429FDB25EF2CC880A57B7E9FF88214F044929E99FC7651EB35E845CB51

Function 019B2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: daba49a55c3f98fe8a90fd1f71e83382c26eb441247e5f2b80b7bd074dc340c3
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: A9516A75A00215CFCB16CF98C584AAEF7F6FF84710F2481A9D919A7361E770AE42CB90

Function 01976154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c7df5393b10201fbf9daecbb6e0e2212222c0cb921a2771e2365a430110b3e
Instruction ID: fcf6688697acc3fd214f3a74a234abdc9d71f2432886b5aea6f4318f80c2111e
Opcode Fuzzy Hash: 63c7df5393b10201fbf9daecbb6e0e2212222c0cb921a2771e2365a430110b3e
Instruction Fuzzy Hash: 4151F670A00606DFEB269B28CC04BE8BBB5FF51314F1482A9D51DA76D1E7349981CF80

Function 01970BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c69f2c772f3e8ba40178532b71d7d83a8d47ea49ff994e4f48aedc7673a766f
Instruction ID: 8d766ebab34da6104cd167d3111e31eeac21cbb9f96af42d8289cd84604c73e9
Opcode Fuzzy Hash: 3c69f2c772f3e8ba40178532b71d7d83a8d47ea49ff994e4f48aedc7673a766f
Instruction Fuzzy Hash: 7841A471E002299BDB21DF68C940FEA7BB8FF85B40F0500A9E94DAB241D774DE80CB91

Function 01A3866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: bca9dea1557bf34f0a4ed4123815a269390c2a0f3d865fa4d718e82872063498
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1E41D675B00205ABDB15DF99CD84BAFBBBAAFC8600F244169F904A7341D778DE04D760

Function 01970887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db1605ec182dcec5e712d7b74c3c69c84f7d3985c98675e761d047b17977def
Instruction ID: 92dd533239b72e3040a1025fbe643e8825064235e409fd39d1d34805a9f35e6e
Opcode Fuzzy Hash: 5db1605ec182dcec5e712d7b74c3c69c84f7d3985c98675e761d047b17977def
Instruction Fuzzy Hash: 2941B5B16007069FE325DF28C480A26BBF9FF8A314B188A6DE54F87A51E731F845CB50

Function 0199A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3234b3ff204e34dcaa6b2bc822f17da73cfc6fcd409fac25413a2ebcdae19510
Instruction ID: 42c1e68c9bd5c98aead2f13a176ac42f59cbc74a9b1c2feb64166051fde50740
Opcode Fuzzy Hash: 3234b3ff204e34dcaa6b2bc822f17da73cfc6fcd409fac25413a2ebcdae19510
Instruction Fuzzy Hash: 6241CC32A40205CFDF21DF6CC894BED7BB8FB58B21F144569D419AB2E2DB349901CBA1

Function 01978BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce772155e6899f58e96d57c1aeb65a378b0f8d98b3339ab62a4569ec549ebdf4
Instruction ID: a108aa872a54827f1435549717b0eaaa61193b23be9a7f2f2f150f1cc2eae271
Opcode Fuzzy Hash: ce772155e6899f58e96d57c1aeb65a378b0f8d98b3339ab62a4569ec549ebdf4
Instruction Fuzzy Hash: 02412936D00202DBD729DF58C884B5ABBB5FF98B14F15802DD9099B265C775D842CFD0

Function 01968918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8255b83dbb495abfc16a0e8060ccc61598f04ae6d11671ca575de47b06a4c79e
Instruction ID: d2762dbe18a2b23e8dc6524c431036bed7f79e34b30df2aa8298119cdfaa59f6
Opcode Fuzzy Hash: 8255b83dbb495abfc16a0e8060ccc61598f04ae6d11671ca575de47b06a4c79e
Instruction Fuzzy Hash: 5C415C315083069ED712DF69C841A6BB7E9AF84B94F40092FF989D7250E771DE058BA3

Function 0196A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: cdc91c55651095fc96aee63f8ac2c0706ee09d54cdf035367531b5b1b2bdbe56
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 16418231A00212DBDB11FE198451BB97B7DEB91B91F15806EE58EAB340D6369D40C771

Function 019709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66426b86ef2b1eadf3269bc3337df972388052608d948c2cd056210184a5ce6
Instruction ID: 81ae2d271d00b4866536799890f6694de2e5bf61e5b6f5e64d26da10ec31de06
Opcode Fuzzy Hash: b66426b86ef2b1eadf3269bc3337df972388052608d948c2cd056210184a5ce6
Instruction Fuzzy Hash: 1E417AB1A40701EFD725EF18C840B26BBF8FF95715F248A6AE44D8B251E770E942CB90

Function 019A0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: a026f53f1225fbbb9b0431e46977641dfbae31ffa1c876ecb10ac40f900afec1
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: FD414971A00705EFDB24CF98C980AAABBF8FF18700B54496DE55AD7290D730EA48CF95

Function 0197262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a87043d478ae48deba87d5925c7fdfb951d4f4c496b3932d8939705fb52d79
Instruction ID: 222d9fd16e48bb7490eeede19f33ee74627e51b1d7d278e7e65e096c52e07506
Opcode Fuzzy Hash: e4a87043d478ae48deba87d5925c7fdfb951d4f4c496b3932d8939705fb52d79
Instruction Fuzzy Hash: C341A0B1511701DFCB26EF28CA40A59B7FAFF94711F1085AAC51E9B2A1EB30A941CF51

Function 019AC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23198d6806f6bac7527bcfd10bd81e6fdf5a22b64b154951252e99632791ac0a
Instruction ID: bfcf0ad6268e5a015056f97f42a8a22b01b0a4a3cb3f0eafa50296f52982d310
Opcode Fuzzy Hash: 23198d6806f6bac7527bcfd10bd81e6fdf5a22b64b154951252e99632791ac0a
Instruction Fuzzy Hash: A6319CB1A00305DFDB52CF98C140799BBF4FB88724F2085AED119DB251D3329906CF90

Function 019F07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717d6f352ed2bd0ab945f1e9e5ea27ded937f1fb1e1a06c792b0cfeaf8c0d0c8
Instruction ID: b0464f82dea74a8d4ead63fe1d985fba8375a1fa5841784790841950a72b18ce
Opcode Fuzzy Hash: 717d6f352ed2bd0ab945f1e9e5ea27ded937f1fb1e1a06c792b0cfeaf8c0d0c8
Instruction Fuzzy Hash: 3E417D71A04301AFD760DF29C845B9BBBE8FF88664F004A2EFA9CD7251D7709905CB92

Function 019680A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ca0991ed412d80b0acecb52945d5b9aa8f8308cca134e1086ec00096e89f1e
Instruction ID: 207563b260e34c1468bd7598a7a1a9e2b31cdcf4ae3aa7dcbba34354dbb46d6f
Opcode Fuzzy Hash: b0ca0991ed412d80b0acecb52945d5b9aa8f8308cca134e1086ec00096e89f1e
Instruction Fuzzy Hash: 0A41E371E0571AEFDB11DF58C880AA8B7B9FF54760F168629D81EA7280D734ED418BE0

Function 019F05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d803507b2a6f057dda72265ccfe5cef069d2dc967fe85d94c03f80c51c4669
Instruction ID: 5e5dfc385bde88beeca59ffc09faa86ba92bf8a9be465a6b99e17468bf91f19c
Opcode Fuzzy Hash: a4d803507b2a6f057dda72265ccfe5cef069d2dc967fe85d94c03f80c51c4669
Instruction Fuzzy Hash: AD41C472604741AFD320DF68C840A6AB7EEFFC8700F18061DFA5997691E730E914C7A6

Function 01974859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64afb0ac7a5c438a63fcc5e452ead1f466bc602dd775f10899d03a6630e6513c
Instruction ID: 1da3180976fe8ba77e5118d9236cced7d9bf1632c5cdf3bfb2deba415ecda015
Opcode Fuzzy Hash: 64afb0ac7a5c438a63fcc5e452ead1f466bc602dd775f10899d03a6630e6513c
Instruction Fuzzy Hash: 9D41C2706043068BD725DF2CD884B2ABBE9FFC0B55F14442DEA598B2A2DB70D951CB92

Function 01968B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119405df4b6732bab75fc41e061f6cedaee38458fa6272d3e0e58c6d5b0e4ed1
Instruction ID: 24a20975fb67934f0074c9e56264112bd2e58779d9363c4747b8098b68df7b75
Opcode Fuzzy Hash: 119405df4b6732bab75fc41e061f6cedaee38458fa6272d3e0e58c6d5b0e4ed1
Instruction Fuzzy Hash: 7D4190B1E01705DFCB15DF69C98099DBBF9FF98720F10862ED46AA7260DB34A941CB60

Function 019802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 2915233c58d90a6a4c1b7b26fc68bc6b35373ce4c1161d7fafdc4de64a371b3e
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 4F310731A04244AFDB129B78CC44BDBBFE9AF54350F0885A6F45DD7352D6749848CBA0

Function 01A1E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f079913f732acf0a483e3ddec05da3bf89acce243fd32d8c82eb4996e8e4de
Instruction ID: 52895ea2631ebe39fde1922c31ed2ae4f0d5972cb16f064c017c8b7d00f302c0
Opcode Fuzzy Hash: b5f079913f732acf0a483e3ddec05da3bf89acce243fd32d8c82eb4996e8e4de
Instruction Fuzzy Hash: 4631BC75790706ABD723AF65CC41F6F76B5EB99B50F000028FA04AB2D6DA65DD00C7E4

Function 01A24B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b087d64c63469a7dd6a71186033f613906cfa738d97a7d36ffc2b2d6964f79
Instruction ID: cf48d11e762c9f69eaae8842b77a6273cd41ab552532261f85c3b8f8bf958305
Opcode Fuzzy Hash: 01b087d64c63469a7dd6a71186033f613906cfa738d97a7d36ffc2b2d6964f79
Instruction Fuzzy Hash: 1D31E272605621CFC325DF1DD880E26BBF5FB88360F0A446EE9999B665D730E805CB91

Function 01974260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1be131684d363a540e41d2b26b1d7759df463fd8a174b799cf4bcec622dc03c
Instruction ID: b0e2badd5a4e6082c792eaf4f5bcb5046b304aeef0c613605f95cf0270638406
Opcode Fuzzy Hash: d1be131684d363a540e41d2b26b1d7759df463fd8a174b799cf4bcec622dc03c
Instruction Fuzzy Hash: 8541DD75201B05DFD726CF28C981FD6BBE8AF89710F058829E69E8B251D770E800CB90

Function 01A24BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee9a1db83cbb5c2dfeadb60d888f3de4fb0fbe5fb6fcfcd258e2fa57f583c6d
Instruction ID: 1aca36200a57ad4544373cd97a32a9fee9c81b56e1c6e2c1143a49bfa2095471
Opcode Fuzzy Hash: 6ee9a1db83cbb5c2dfeadb60d888f3de4fb0fbe5fb6fcfcd258e2fa57f583c6d
Instruction Fuzzy Hash: 543178716046118FD720DF2DD880A3ABBE5FB88720F09496DF9999B795E730EC05CB91

Function 019EEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9d02e0ae15f179cd547ef0b5bfc805e3748e23fa216894c041842019ad25cd
Instruction ID: 9654c301abddcdea10c510f63eac010cd6b30859e7500a744fcdf12f435cdbe4
Opcode Fuzzy Hash: 2e9d02e0ae15f179cd547ef0b5bfc805e3748e23fa216894c041842019ad25cd
Instruction Fuzzy Hash: 2631C131B01686ABF7235B5ECD4CF257BDDBB80B45F1D00A4AB4D9B6D2DB68E840C220

Function 01A361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8b32c13a5b1f5e90f6324e22428edd7b803cb583eb8e26c710ab8660639624
Instruction ID: 46e746e433832c96ec937b0900ce3ffe6c1c71d6d1130ca437fb280d54826106
Opcode Fuzzy Hash: 0b8b32c13a5b1f5e90f6324e22428edd7b803cb583eb8e26c710ab8660639624
Instruction Fuzzy Hash: E331B275E00116BBDB15DF98CD80FAEB7B5EB84B40F464168F909AB245D7B0EE01CBA4

Function 01A1483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb84f0c190fd657d17a227946b2ab0af50a2f6d5e64ca9f162848bee39408c6
Instruction ID: 386a7e7fdc6b9f7a85b943747e50ab2a142986800ac9c5d3e20d2e59a6391554
Opcode Fuzzy Hash: 1bb84f0c190fd657d17a227946b2ab0af50a2f6d5e64ca9f162848bee39408c6
Instruction Fuzzy Hash: 00315376A4012DABCB21DF58DD88BDE7BBAAF9C310F1400A5A508E7254CB30DE918F90

Function 0199EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bca1ed49dd6299c1e42bffd77e57402e8a09582095f9334a8f64791d0b634d
Instruction ID: 2dd375160a15e3983703da52e1b4c65df705b2e9b132cca56039c78ab68fa1a3
Opcode Fuzzy Hash: d7bca1ed49dd6299c1e42bffd77e57402e8a09582095f9334a8f64791d0b634d
Instruction Fuzzy Hash: FD318476E00219AFDB21DFAEC840EAEBBF9EF44750F118465E51ED7250D7709E019BA0

Function 01A360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ded1ba8d49a0389282af507f61d18a50065a527ca17354d00293915895bc0a
Instruction ID: 864360bec1c8b76a21578602da0959e46921f38d3723f3446ec0b27176be4d03
Opcode Fuzzy Hash: a6ded1ba8d49a0389282af507f61d18a50065a527ca17354d00293915895bc0a
Instruction Fuzzy Hash: C631D171A00716BBDB22AFA9C850B6AB7F9AF84754F144069F50DEB352DB70DE018B90

Function 019707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ebaa1f271c82aa97e6f18b4d7459213c4d90397f677531a20abb87e361204c
Instruction ID: 67e223753e3a72acc30ad54034a0914c1c3af43eb6a6e63013f439c636288e2e
Opcode Fuzzy Hash: c4ebaa1f271c82aa97e6f18b4d7459213c4d90397f677531a20abb87e361204c
Instruction Fuzzy Hash: 6331E372E04716DBC712DE68C880EABBBA9AFD5650F09492DFD5E97310DA31DC0187E2

Function 01978550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec506d686d9d2704ac13ccd31be3f8b7e71d6afb5a9ce71cfd3f91c93866753
Instruction ID: e96a8b9af90a507924183010e204a68751443a862a6693b4b9ddceee2a35e337
Opcode Fuzzy Hash: 9ec506d686d9d2704ac13ccd31be3f8b7e71d6afb5a9ce71cfd3f91c93866753
Instruction Fuzzy Hash: 2C316F716093019FE720CF19C944B2AFBE9FF98710F1589AEE98897351D771E844CB92

Function 019AA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: aeaee438c683ae75242a967d5821435f286c7a67f56081576ea60c9ef21c3ecb
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 45312AB2B00B01AFE761CF69CE40B57BBF8BB58A50F44492DA59EC3651E630E904CB60

Function 01A1EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e3f32a99741a62d81eea16e9e9e17551e693c756fd84dfb8c9daeaf3cca04f
Instruction ID: cf83d750f4029b9be664c1e9fb75247ad4af285d0faf6f62d9215f28a1a236b6
Opcode Fuzzy Hash: 72e3f32a99741a62d81eea16e9e9e17551e693c756fd84dfb8c9daeaf3cca04f
Instruction Fuzzy Hash: 1A31B8B1509302DFCB12EF19C94086ABBF5FF89614F0449AEE8889B215D330D985CBD2

Function 0199438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9819ba0ae4e9a8baa0f93f3d128dc436e788b679320df4711dac5640b99300f8
Instruction ID: a8ec32568de04f5beb38d8fa7ed6fddb4afd354b335f4528c259055980572e30
Opcode Fuzzy Hash: 9819ba0ae4e9a8baa0f93f3d128dc436e788b679320df4711dac5640b99300f8
Instruction Fuzzy Hash: BE31D631B002069FDB21EFBCCA81A6EB7F9AB94744F008529D54ED7254D730E946CB91

Function 0196CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: ff56b26d28b164fa0ec7ac53e27b4026da11e35ce1255cd499dd0e2624433833
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3F212B32E0025FAADB11DBB98810BAFBBB9AF54740F058435AE99E7340E274DD00C7A1

Function 0196C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4fd041d9a926f313d0043c62e24d95bc967edb481dc238a3252cb33c68da82
Instruction ID: 71e46e28e7fecc3394874f67c2cc47f06203162bed8714ef0a13a7f561d29a19
Opcode Fuzzy Hash: 7c4fd041d9a926f313d0043c62e24d95bc967edb481dc238a3252cb33c68da82
Instruction Fuzzy Hash: 463127B55002018BD721AF68CC41BA977F8BF90714F5481BDD9CE9B382EA34D986CBE1

Function 01A2C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 873a77ecab664a0cf50cf3baa23c792602e34eff8d75f9cc7f0acf38a0e4204d
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 8C21303AA0066676DB15AB99CD04EBFBBB5EF90720F80841AFA9587553E634D940C3A0

Function 0196E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadd521009af0673254d40dc76047fa37494a93f7fca60549b9ed5a4c5e0b1c7
Instruction ID: 6a992a9b636df5ead9fe2b744eb94c596d5e51cc8852aebead8977039b4179c3
Opcode Fuzzy Hash: aadd521009af0673254d40dc76047fa37494a93f7fca60549b9ed5a4c5e0b1c7
Instruction Fuzzy Hash: A431C535A4152C9BDB31DF28CD41FEE77BDEB55B40F0105A1E64DA7290D674AE808FA0

Function 019A4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: d645da8310fb64a80c748c03c9d901c3a2bbbc57755da76ffda8b85b75a5d29d
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 15218371A00609EFCB15CF58C984A8EBBB9FF48714F548065EE199F241D6B1EE09CB90

Function 019A44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28228597d89fc64cbcb32755096b543f7874be13d8c30371ae065f2a767636ce
Instruction ID: 822f8bed4bad3aeab185797335c311250829daaec37747c81f299e09b026eb63
Opcode Fuzzy Hash: 28228597d89fc64cbcb32755096b543f7874be13d8c30371ae065f2a767636ce
Instruction Fuzzy Hash: 5621D1726047459BCB22DF18C880F6BB7E8FB88721F444929FD8C9B641D770E9058BE2

Function 0196E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 802404ca6c9865975b6e22dedbd87fbd682d426790d201eac14ea8f84586f5ee
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: DA31AB35600605EFD721CF68C984F6AB7F9FF85754F1049A9E55A8B280E730EE02CB60

Function 019EE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75774eaae9faa9849ea607112af011055ab29c6583d9bf63110cfb80257b4434
Instruction ID: 6157de2b44dc97e17a92268d52613696e209a2679c52b08d99766a85fccce8b2
Opcode Fuzzy Hash: 75774eaae9faa9849ea607112af011055ab29c6583d9bf63110cfb80257b4434
Instruction Fuzzy Hash: 18317E79600206AFCB16CF18C4889AE77F9FF84704B154459F80D9B395E731EA50CF94

Function 019F06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcb78ddd50f1b196909acb2e66dd4d5098bae58514223ea3b71d2fd890dbc3c
Instruction ID: 11da2242e2c311f8c6252730202f4f716a40eca3f29673e01228c4b0e7c0f6e2
Opcode Fuzzy Hash: 6dcb78ddd50f1b196909acb2e66dd4d5098bae58514223ea3b71d2fd890dbc3c
Instruction Fuzzy Hash: 4F219F75A00229EBCF21DF59C881ABEB7F9FF48740B550069F945EB251D738AD42CBA0

Function 019F019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b33f8078cd0433493ac9a4de04c3502ce2796726e0532f6f7ffe5f4422209a
Instruction ID: f2158d6bfeeb5c9b8b519cd6f16ddb5690384191a4e3547ff18dac201f27b83e
Opcode Fuzzy Hash: c8b33f8078cd0433493ac9a4de04c3502ce2796726e0532f6f7ffe5f4422209a
Instruction Fuzzy Hash: CC218B75A00645BBD715DB6DC980E6AB7ACFF98740F180069FA08D76A1D634ED40CB64

Function 019F0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010cb93e3240146c2670577944e2cccc199fd4602a633ed1c0c1a12070ff5527
Instruction ID: 3f4948cddee22854b571d125c0429b0ea52b3a643f11317dd9be574e5abd7077
Opcode Fuzzy Hash: 010cb93e3240146c2670577944e2cccc199fd4602a633ed1c0c1a12070ff5527
Instruction Fuzzy Hash: E321B072904246ABD721EF5EC944FABBBDDEF90644F0C045ABE8887262D770D905C7A1

Function 01992835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702e726b21035af6cd9b258429e6d205a26acb09d9f3fb1ee70cf775259927e7
Instruction ID: 7fc1fef5ab947efc05868e7fdab48b573eb78d3f7ddcd05901924378605d6056
Opcode Fuzzy Hash: 702e726b21035af6cd9b258429e6d205a26acb09d9f3fb1ee70cf775259927e7
Instruction Fuzzy Hash: 3F21DE31745681ABE722976D8C08F147B9DBF41B75F1903A4FA2C9F6D2D768D801C251

Function 019AA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9ccfa3808ead07cd40541e0e62ff58de87be293ccd65d6535f211149383f32
Instruction ID: 06ee8808a4abb03bf312ade134aab6dda5085dcccc0b6d9b9ca475f1aad67c63
Opcode Fuzzy Hash: cc9ccfa3808ead07cd40541e0e62ff58de87be293ccd65d6535f211149383f32
Instruction Fuzzy Hash: C821A979200A01AFC726DF29CC00B56B7F9FF58B04F248468A50DCBB62E731E846CB94

Function 01A2A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512db11feb94fd26c6f534797048975f371bda6814a3988c6e392e2699dbdbe6
Instruction ID: 1e71a18b15991b24728dd53b2154fef191f45510c6646d392212e32625b9561d
Opcode Fuzzy Hash: 512db11feb94fd26c6f534797048975f371bda6814a3988c6e392e2699dbdbe6
Instruction Fuzzy Hash: 52112972380A21BFE322566DDC41F27B699EFD4B60F150028FB08CB691EB70EC018795

Function 019F0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfea9af73cc2e424af41f52b7b20f2a6c8ecfeed7fa3e3741320ef2e2d6d645
Instruction ID: 5dc326295a24e79711a8eeff17aaf065965ae5ae35726e68f1f6b1291acfd323
Opcode Fuzzy Hash: 3bfea9af73cc2e424af41f52b7b20f2a6c8ecfeed7fa3e3741320ef2e2d6d645
Instruction Fuzzy Hash: 852116B1E10209ABCB20DFAAD8809AEFBF9FF98610F10012EE519A7250D6709941CB64

Function 01A080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: e726c1f7bfecd94655099f73cd6bf3a98452f1fa9268a15778767ff36a6f8a7c
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 87216A72E00209EFDB129F98DC40BAEBBBAEF88310F204419F945A7291D738D9518B54

Function 019A0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: a49be8b97f535ae5a631ab7b2971e905e4f6641cd6017bff7b85df856c3e0c69
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: EB11BF72601609BFE7229F98CC81F9ABBBCEB81754F144429F6099B190D671ED48CBA0

Function 01978770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebdfec1cd6ab592c5c7b8b4b9c657d6cd9549e766fdfc40ce2701630c567de3
Instruction ID: 18a05375e411675b3254bda0db3b06f2f4b43a0238a3127a63caf8a7044c9245
Opcode Fuzzy Hash: bebdfec1cd6ab592c5c7b8b4b9c657d6cd9549e766fdfc40ce2701630c567de3
Instruction Fuzzy Hash: 9E11BF717006519BDB11CF5DC4C4A66FBEDAF8AB11B19806DEE0D9F205D6B2D9018790

Function 019AAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: ddd13a85a322d6b3d55e15db44bb2e9ac8a5dcea6eee7910dc63d48d75bfebb2
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 51218B72600641DFDB329F49C944E66FBEAEB94B11F55883DE94E87A20C730ED05CB80

Function 019780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c643c96a72a0394d6586df6bdc0e3e52f2e61e8c3c3e5bb42d62f341afd8c6bd
Instruction ID: 32933185eb08bc3925a3528be2f085b3bb13c624fe8b38129eb3a542347376c9
Opcode Fuzzy Hash: c643c96a72a0394d6586df6bdc0e3e52f2e61e8c3c3e5bb42d62f341afd8c6bd
Instruction Fuzzy Hash: F0219D35A00206DFCB14CF98D580AAEBBB9FF88318F20856DD109AB351CB71AD06CBD0

Function 019A674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86860b48258ff21d2d17f58831b8169d7999eb66671b3c69e7d23080a77295ba
Instruction ID: e08c85556ac683a64c49ff498943e7596055fae0fb94e6def6f901a20ae1413a
Opcode Fuzzy Hash: 86860b48258ff21d2d17f58831b8169d7999eb66671b3c69e7d23080a77295ba
Instruction Fuzzy Hash: 71218C75610B01EFD7219F68C880F66B7E8FF84250F88882DE5AEC7250DA70A844CBA0

Function 0199E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691b978b7fc5dbf26d06965bf5fa9bb84a77660f44208e8018aba31fd840e5e0
Instruction ID: 7022be9ac1fbb60336fb6cc8518096fbf7823e552a926d58b8b6a739af559d64
Opcode Fuzzy Hash: 691b978b7fc5dbf26d06965bf5fa9bb84a77660f44208e8018aba31fd840e5e0
Instruction Fuzzy Hash: 111108727041149BCF19DB2DCC81A6B725AEFD5771B258929D92F8B290E9309C02C290

Function 01A06870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb0af3566200580e53ed9d6d5fa30e9c75137e34f53a4f79ccbe6a02b8fd5fb
Instruction ID: 78be7e2a2e6384cb6ce9ad781be010f644129730ef42d28b801fc57ee13e3421
Opcode Fuzzy Hash: 2cb0af3566200580e53ed9d6d5fa30e9c75137e34f53a4f79ccbe6a02b8fd5fb
Instruction Fuzzy Hash: B6110632240504EFD723DB9DDD40F9A77E8EF95B98F014024F209DB2A1DA70E915C790

Function 019A66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbda0a8cfcbafc7b818627ba0cc943de3f40b2a2f4c6504cd304ab083d8594c0
Instruction ID: 7dd6914fd0a5d012dbb63971a4b0682fd9301fa08d502404c1306614135ca008
Opcode Fuzzy Hash: fbda0a8cfcbafc7b818627ba0cc943de3f40b2a2f4c6504cd304ab083d8594c0
Instruction Fuzzy Hash: DB11BC76A113059BCB25DF59C580E5ABFE8AB84610F4A4079D90DAB321E634DD04CBE0

Function 01A3A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 076a10e49d386136abe755651551b7558e650a3f26d15ac04a371b83f2bc3665
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 9D11B236A00915AFDB19CB58C805B9EBBB5FFC4210F058269F895E7350E675EE51CB80

Function 01970AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: e44b691a8be0e0b89d4cafc597828ff226c9b9e572c1be22d43f0e10dc0e7b3f
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 5A2106B5A00B059FD3A0CF29C580B52BBF4FB48B10F10492EE98AC7B50E371E914CB90

Function 019FE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 4866be8628f789cc47d624e5315dcf050368650987bb139a51121a62ccd30c05
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: C9118C32600601FBE721AF48C840B56BBB9EF85769F16842CEB0D9B170DB31DC40DB91

Function 019927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b64604be5a9010a906a0dc6f6cd6cd603667105b996090213f641fa0e2849a
Instruction ID: 8fd16487ad9bd7b956ad78de609183617af38880d574612db210bd50818fe21e
Opcode Fuzzy Hash: c4b64604be5a9010a906a0dc6f6cd6cd603667105b996090213f641fa0e2849a
Instruction Fuzzy Hash: A1012232705645BBE726A76FD888F277B8CEF807A5F094464F90C8B281DA24DC00C2A2

Function 01974690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f492a528b58d621a37fc3b66db49c1d6c1c04afc282ad6e93742d9743a7b97a3
Instruction ID: 3be06df4d7cb7c3c04479faa257fd25c5876bad63f1e14705b6121e670659a1e
Opcode Fuzzy Hash: f492a528b58d621a37fc3b66db49c1d6c1c04afc282ad6e93742d9743a7b97a3
Instruction Fuzzy Hash: E311CE36341645AFDB25CF59D980F56BBA8EFC6B65F00452AF91C8B262C370E840CF60

Function 01A44B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227fe279f5366992a8835c1cd5147159528078982c232c8f64d8cc13843b4923
Instruction ID: a3503e4bb9f590f46af823e39a3f344430a2b471535c2f133d67845c27b1c4d7
Opcode Fuzzy Hash: 227fe279f5366992a8835c1cd5147159528078982c232c8f64d8cc13843b4923
Instruction Fuzzy Hash: A5118236200A119FE7229B6DD844F67B7A6FFC9711F194529EA4687690DA30E803CB90

Function 019A6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913d8a0d2228503c46e21c46bd102ba1dc38bdd79cdcbae7bd2dbe3b1b6f23e1
Instruction ID: 44f28ba7ff5c08d7a0118473988b63a7a25227ed88bc203881673df0d709e6e8
Opcode Fuzzy Hash: 913d8a0d2228503c46e21c46bd102ba1dc38bdd79cdcbae7bd2dbe3b1b6f23e1
Instruction Fuzzy Hash: A1118276A00715ABDB21EF59C980B5EFBBCFF84B51F950455DA09A7200D730AD058B90

Function 0199EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5352ad3b89ed5339a8012652e8b4cd8b3017455ae2a0f158b9740cfbac1b3601
Instruction ID: 532094ddfee30db4bc7602ade84363de105550b60602a35e072fa2a02a3d4f5b
Opcode Fuzzy Hash: 5352ad3b89ed5339a8012652e8b4cd8b3017455ae2a0f158b9740cfbac1b3601
Instruction Fuzzy Hash: 1D01CC75A011099FDB25DF19D404E26BBE9FBE1358F20816AE0088B274CB74EC46CB90

Function 0199E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 10a6dbe4ec6c80243f22c685a3c307a8e2de4586197010ac453378a8de1b1bc4
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: B611E5726016C69BEF239B6CD944B253BD8AF40B49F1904A0DE4E87652F728D843C252

Function 019FE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 52ee096a9d455e2fe0d28ac53e9b6bcd8792bf672b93f5263c42fb35f522fbfa
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: DC018C32600206BFE7219B58CC00F5ABAADEF85B56F168428EB0D9B270E775DD40CB90

Function 0196A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 54e53dfe3a34fb5f4935830ad5930ed7f5ed6fff3140e7e18d6829f686b76a90
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: D10126314447219BCB318F19D840A327BECEF55761700892DFC9EAB281C335D400CB70

Function 01A44940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ba250e2f44c0353b7fc247ca0a7c1f358969ec818e0f972d76fb6de565008f
Instruction ID: 3950d32535cc496cf1036f6e7966a31830016e4e6e650a60f7d6df126f482dbf
Opcode Fuzzy Hash: 60ba250e2f44c0353b7fc247ca0a7c1f358969ec818e0f972d76fb6de565008f
Instruction Fuzzy Hash: D601C0775416019BC322AF1C9840F12B7A8EBD9770B254265E9A8DB1A7E730D801DB90

Function 019EE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865e5579e93f12d5c5b1ec270b282a2f4c954d2942877fbe83011e46f66fdd48
Instruction ID: 97a99581c1e73c69f0cf2270dccb2f3b3e0afd5ac5fcf68a260bf5dcd671181f
Opcode Fuzzy Hash: 865e5579e93f12d5c5b1ec270b282a2f4c954d2942877fbe83011e46f66fdd48
Instruction Fuzzy Hash: E411AD32641241EFDB16EF19CD80F56BBB8FF94B44F2000A5EA099B661C635ED01CA90

Function 01976259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecbfb8f0990883024f89363732a9d042f7697d0c7679e525b875efacc6da27e
Instruction ID: 259b0aca2bab6ad0b65e5ffe65c6608c2d57f910f2e92f3987ecb60f3dd29ce8
Opcode Fuzzy Hash: 1ecbfb8f0990883024f89363732a9d042f7697d0c7679e525b875efacc6da27e
Instruction Fuzzy Hash: AF115A70941229ABEF65EF64CD82FE9B278EF44710F504194A72CA60E0DA70AE81CF84

Function 0197208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 84384121f9f164bda4629eebf3f210aa789ef08af45c29659086edce882c8ebd
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 1501F1326102018BEF169B2DD880F92776BBFC4B00F5544A9ED498F246EA71D881C3A0

Function 019F6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f863e2b5b909d94f97fbad2992c0b36b1f980cd0df57f74d7ce03c28deeec7
Instruction ID: bfd609f9b371dfeabd22b2bcc4c47618b04cb67b1dc9348b9edf009fc5d7a63f
Opcode Fuzzy Hash: f0f863e2b5b909d94f97fbad2992c0b36b1f980cd0df57f74d7ce03c28deeec7
Instruction Fuzzy Hash: CE111777900119BBCB12DB95CC84DDFBB7CEF58254F044166EA0AE7211EA34AA19CBE0

Function 01A06500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33a7b55c282d53989f0668c85707d3149f8c923d122695667d5b66a3ac863b6
Instruction ID: 2ebb6410b90f67413c698848fbab5316c3f499d755fb68fa84bb63f81e7d1542
Opcode Fuzzy Hash: a33a7b55c282d53989f0668c85707d3149f8c923d122695667d5b66a3ac863b6
Instruction Fuzzy Hash: 3311C8366441459FD712CF68E840BA5B7B5FB9A318F088159E849CF395D732FC45CBA0

Function 019FC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f963082c93f7768a56bdfbd5766c3fc42cd746004011408f3f88f498d8636650
Instruction ID: 4c336960bba117d03c8ccc20c6659cea274102538ebbfed72239217b93aad23f
Opcode Fuzzy Hash: f963082c93f7768a56bdfbd5766c3fc42cd746004011408f3f88f498d8636650
Instruction Fuzzy Hash: C811ECB1E00209ABCB04DF99D581A9EB7F8FF58650F10806AE915E7351D674EA018BA4

Function 01A1EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7e3aac0886fd5011499bf7a99b87efbc5c79f78136ff864b1b07a51aa02181
Instruction ID: 4640c53e5b946b0c6dc0ecd738cb23c21f9658131e6ca024e25b71c8c1bd199c
Opcode Fuzzy Hash: 6c7e3aac0886fd5011499bf7a99b87efbc5c79f78136ff864b1b07a51aa02181
Instruction Fuzzy Hash: F30184325402119BCB33BB298440D76BBFAFF91692F05442EEA495B615CB34DC82CBA1

Function 019B20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4723fd7fe9be9b65086ee405c96c53780e5195d6d4649f2e27e0dc3244f6b1
Instruction ID: d40816e5b12c8ef734f70717c44cad35b3832e303a964843079c160cecd19dd6
Opcode Fuzzy Hash: aa4723fd7fe9be9b65086ee405c96c53780e5195d6d4649f2e27e0dc3244f6b1
Instruction Fuzzy Hash: D9116D35A0020DABCB05EF64C991EAE7BB9FB85640F004059F91A97250D635EE11CB90

Function 0196C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 0f42df76ad07e1d6b71cb8ea57b41fb80d1a162e231efda1649a6ba2c87d63f6
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6A01DD321007459FEF229AA9C540F6777EDFFD5650F44482DA58D87540DA74F502C7A1

Function 019AE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65b6fc8dd172ba84300fba1d82750c17d7a2ed0a327ac759b3687914b1c92b1
Instruction ID: 5e1144078c735aab8c523ab9e94b6f23fb1eb8def5296bdf8c55154386ca55b6
Opcode Fuzzy Hash: d65b6fc8dd172ba84300fba1d82750c17d7a2ed0a327ac759b3687914b1c92b1
Instruction Fuzzy Hash: 3A0184B16415417BD711BB7DCD44E57B7ECFBD4A547000629B50D93651DB24EC01C6F0

Function 01A069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc437b88ec301c111cf112e5c37d105ee4299b01f04780628f7a4443e46dd7f
Instruction ID: 9b402f96537f5d49dff28ddc0aa6e56f130ac778479e89e17fe8f31af6e4d36c
Opcode Fuzzy Hash: 8fc437b88ec301c111cf112e5c37d105ee4299b01f04780628f7a4443e46dd7f
Instruction Fuzzy Hash: 9A01FC322142029BD321EF6ED8889A7BBB8FF98764F114129E95D871C0E7309951C7D1

Function 019FC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bfbcd9c50b5c957bb36c9d60f7b8bdbb975be07f85e8e6ccb9c1c61d8fe065
Instruction ID: e715e78fb6f716e740e7760babde6d695cfcb39434f7625fc55b00e9269243ab
Opcode Fuzzy Hash: e9bfbcd9c50b5c957bb36c9d60f7b8bdbb975be07f85e8e6ccb9c1c61d8fe065
Instruction Fuzzy Hash: 4F115B75A0020DABDB15EF68C840EAE7BB9FB88640F008059FE0597350DA35EA11DB90

Function 019FC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7ef5c882ea5b29995fcbbc65b49a391e943d4043cc74da81399bd9b08ad831
Instruction ID: 8771625569d7a4b88c8ff37eb27c47f877c88a80d8523b581336c93d0817ed72
Opcode Fuzzy Hash: 6d7ef5c882ea5b29995fcbbc65b49a391e943d4043cc74da81399bd9b08ad831
Instruction Fuzzy Hash: 4F115E716143099FC700DF69D54199BBBE4FF98710F00851EFA98D7351D630E901CBA6

Function 01A44A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 10d43f0cc55d3ca9d33cc8e3441598fd350668d55bec3234e52e860bd43f5ca9
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 8001FC32200A019FD721DB5DD844F57B7E6FFC9710F044829E6428B650DE70F841C754

Function 019FCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543d7770c7cf4e82e1fdfded40ec720fdda38dadd55225dcedc8fb094ece7370
Instruction ID: f507a2ccc1c13de8487e290e5331c0aaea584fee0518a140cb754d7097b1cf71
Opcode Fuzzy Hash: 543d7770c7cf4e82e1fdfded40ec720fdda38dadd55225dcedc8fb094ece7370
Instruction Fuzzy Hash: EF118BB16083099FC300DF69C44198BBBE8FF99750F00891EFA58D73A0E630E900CBA2

Function 0198E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: e3ab70bafca9d7be83c1b60de54977fa7dc3f344bba76111cd05fa4c5956d4c3
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 38017C322045809FE322AB1DC958F367BDCEB85B58F0908A9F94DCB692D768DC41C622

Function 0196826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab8b9db6416d2b6738b4835ea3c070e2f2b391ebb7117f18413be57e3b0c63b
Instruction ID: 6610312b6debba99e26f6969746d3348123533f60bc563bd90f4204dd63b3c3a
Opcode Fuzzy Hash: 0ab8b9db6416d2b6738b4835ea3c070e2f2b391ebb7117f18413be57e3b0c63b
Instruction Fuzzy Hash: 5F01A231700709EBDB14EB6AD8459AEBBADFF90650B154029DA0EA7640DE70DD02C7A1

Function 01A1EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97604b345c8ca74147f7c04ad48451b39567fcf7385055c1c1e525753ee9bf79
Instruction ID: f24c826fd16b65664f18c21d8552a94c43b2cf682264b5963b2bfb320bce1319
Opcode Fuzzy Hash: 97604b345c8ca74147f7c04ad48451b39567fcf7385055c1c1e525753ee9bf79
Instruction Fuzzy Hash: 0B01A271284701AFD3329B19D940F42BAA8FF95B90F05482AF60A9F3A4D6B4A841CB64

Function 01972582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946ad406bb64b996ea97621e3683240eb703e864e3b33aa2091979bf1e20d049
Instruction ID: 391e3ce1ca7bae79e9307fa44bf85a53f46772f6ee68756ab888ab752ea78efa
Opcode Fuzzy Hash: 946ad406bb64b996ea97621e3683240eb703e864e3b33aa2091979bf1e20d049
Instruction Fuzzy Hash: A4F0F432A51B21B7C731DB5A8C40F07BAAEFFC4F90F014029A60A97640CA30ED01CAA0

Function 0199C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 217972a8a78e454a174d9f301826f283d0c18968669df599a073c3de59b19250
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 7AF0C2B2A00611ABE724CF4DDC40E57FBEEDBD1A80F058128A609C7220EA31ED04CB90

Function 0196C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: eabc2e142b393073f6ed145dc277834a2a218007060657a4d66a5a889ae8a92b
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 6FF0F673204A23ABDB3256594840F2BBA9D8FD1AA4F1A4036F28D9B204CA649D0296F1

Function 01A4634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beabd11a1dd864281d058c95a6a1d8097893cc6f8bfd3de5a442746249436a02
Instruction ID: 9b191ae19858c3da46843cd5760e214519b2062fbf3fb1497847d3104465c2b5
Opcode Fuzzy Hash: beabd11a1dd864281d058c95a6a1d8097893cc6f8bfd3de5a442746249436a02
Instruction Fuzzy Hash: 66012C71A10249EBDB04DFA9E551AAEB7F8FF98704F10406AE905E7350D674AA018BA4

Function 01A462D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e859540b497154382d6d73cb404879f6df2d4c26a16c23dc05469ce8b89c306
Instruction ID: 55a77041c7833f34a99dc7be466fbb2795b35e16b6fe806394397345ac8fb4ff
Opcode Fuzzy Hash: 8e859540b497154382d6d73cb404879f6df2d4c26a16c23dc05469ce8b89c306
Instruction Fuzzy Hash: D5017C71A00209EBCB00DFA9D541AAEBBF8EF98700F50402AE914E7390D674AA018BA0

Function 01A4625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0040349c970281367b579bedc4b819f0b000f773bad6232e164b892143d406a
Instruction ID: 1f69e0a3bcf23b1640bae80fa2af057cbfd2a9f44d9be525b6b578e541f1de6e
Opcode Fuzzy Hash: b0040349c970281367b579bedc4b819f0b000f773bad6232e164b892143d406a
Instruction Fuzzy Hash: 72012C71E1020AEBCB04DFA9D591AAEB7F8FF98704F10406AF905E7351D674AA018BA4

Function 01A461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cba713f8cbc0fc388d0406ea81bbd441c6140180dc7870c68367359fd947b8
Instruction ID: 90751c7974fece387802c1e320ac57a3892fe552b4f33cfc0e3ef9457e5dfbbe
Opcode Fuzzy Hash: 56cba713f8cbc0fc388d0406ea81bbd441c6140180dc7870c68367359fd947b8
Instruction Fuzzy Hash: FB018F71E00249EBCB00DFA9D541AEEBBF8BF98710F14005AE505E7280D734EA01CBA4

Function 019F63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 07295c3a2019def5fad53ae5aa59af98d0015005f1ef6c9fd55cd88cc42089bd
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 66F0127210011DBFEF019F95DD80DAF7B7DEB956D8B104125FA1592160D631DD21A7A0

Function 019FA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6fad14b9c135956f0c4c2173797e236d640fa515e6fedde7ccef2c9875b98f
Instruction ID: 01b3016fbafa6fb182a7971d05ee8653bfad272e3324f8f6329d82e189f7f02e
Opcode Fuzzy Hash: 3e6fad14b9c135956f0c4c2173797e236d640fa515e6fedde7ccef2c9875b98f
Instruction Fuzzy Hash: 9D019736100209ABCF129F84DC44EDE3FAAFB4C7A4F068105FE1866260C732D971EB81

Function 0196C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253e49b7c0ece9f0814686261e7901003c959eb82e32b2166b087572ad3630d7
Instruction ID: da7fa1bbd5572fc5d7d2158b8755887d62bfbad734b7a0df3e9ad6ddfe922261
Opcode Fuzzy Hash: 253e49b7c0ece9f0814686261e7901003c959eb82e32b2166b087572ad3630d7
Instruction Fuzzy Hash: 22F0F0712043459BF21496598C01F32729EFBC0752F26802AFB4D8F681EA70E84182A4

Function 019A656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453e8d5768bc6b6740991cd6363acacb08a7cb1414ec0c90c738561f74be1967
Instruction ID: a995b99353ba7931518d07ebf8bbed86c7c16939efb32ea87e6fa41bf363014e
Opcode Fuzzy Hash: 453e8d5768bc6b6740991cd6363acacb08a7cb1414ec0c90c738561f74be1967
Instruction Fuzzy Hash: 86018170600681DBE7239B2CCE48F2537E8BB91B44F881590FA49CBAE6D768D405C610

Function 01A1437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: de201a7e07b5966d2f3d740f84911a1983a3f530bec711a411da07b7e0044c55
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 35F02E31345E1347FB36AB2D8420B2FB6559FD4F90B19052E9606CB684DF20DC00D7D0

Function 019FC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b50c989348ed263523491445b40217c4e9c7f89ad5c226f3ad6f565e6c646b
Instruction ID: d61f1790f1793a7cadba96d212dc006ab7c8accd949314f16c5f68371278106e
Opcode Fuzzy Hash: 34b50c989348ed263523491445b40217c4e9c7f89ad5c226f3ad6f565e6c646b
Instruction Fuzzy Hash: 2BF0C2706053089FC314EF68C542E1BB7E4FF98710F40865EB998DB390E634EA01CB96

Function 019FE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 51bdac4e61a2482938eff18943618284d7c78c6918dc6159002f7e168c705c98
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 99F05472B11511BBD321AA4DCC80F16B76DAFD5A60F1A0469AB0C9B270C760EC0187D1

Function 019A0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f80da56a3b5c772ae4c6357e94266c6e86cddda225877d34c282fb612a1cedc1
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: A8F0B472610204AFE714DB25CC05F56B6EDFF98340F198478A549D71A0FAB1ED05C699

Function 019FC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69b0b4e9f8a78f35a3c59b3c89ba2b99563075d1cac2b7b3bbcabf341855f51
Instruction ID: 30616252ddf64968468ccdcb3fd3779e70d618ec5809bf5b0619575ee8b7c19f
Opcode Fuzzy Hash: a69b0b4e9f8a78f35a3c59b3c89ba2b99563075d1cac2b7b3bbcabf341855f51
Instruction Fuzzy Hash: 92F0AF70A0020DEFCB04EF69C551E9EB7F4EF58300F008069A909EB385DA34EA01CB50

Function 019747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b594fb95c941d6098b3141fec05486c93ea1246fca21c867463ccdfbb59bd39
Instruction ID: 388bfb7c8cb48f84f90317649fd42d19a14333099f35f496dbfb54f9191eb093
Opcode Fuzzy Hash: 4b594fb95c941d6098b3141fec05486c93ea1246fca21c867463ccdfbb59bd39
Instruction Fuzzy Hash: 49F0BE719167E99FE732DB6CC444FE5BBDC9F02622F08896AD59D87503C734D880CA52

Function 01A30115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab37a2a3894ac7bc84a11fe16f8d71324723db1284f88f9482807b5db998552
Instruction ID: 184d748542d851688ba54c47b14b392a42811d61fe46705ee79a6b302fee904c
Opcode Fuzzy Hash: 9ab37a2a3894ac7bc84a11fe16f8d71324723db1284f88f9482807b5db998552
Instruction Fuzzy Hash: 9FF0202B41A7901ADF366B2C7BA03D16F68A782510F091089FCA8A721AC5748883C320

Function 019AC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78880d712d7273b951d0fc47c377c971480ad834122fe2aebb96b0d4eb7b4630
Instruction ID: 6a955e85739e74fc2d81c708b36298da208d13a9c37b0d4bfe86da934a3634a0
Opcode Fuzzy Hash: 78880d712d7273b951d0fc47c377c971480ad834122fe2aebb96b0d4eb7b4630
Instruction Fuzzy Hash: 58F0E2B19116979FE332D71CC148F55BBDCAB447A2F8A9825D40E8F612C260F888CAD0

Function 019B2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 10a99af8a92f6f9888af9b8395243ab987ef9dcc49652e0bc24c8e97daf741f3
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 00E0D8723006016BE712AF59CDC4F87776EDFD2B10F05007AB6085F292CAE2EC0982A4

Function 01A06030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 00ac95d2cde37c58738621f68ba14e48e93c3fa474a5d36a6783e15eb0c634f5
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 8DF03072544204AFE322DF09E984F92B7F8EB45379F46C025E60D9B5A1D37AEC50CBA4

Function 01970710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: f8977ed705aae78a0e5e4776cea7ef29ecc7ed267db6f883e0cb783b16c5af28
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 7AF0E5392043859BDB16DF1AD440AA5BFA8FF46750F040458F84A8B301D731EA81CB51

Function 019A49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 1b94e704949699e6afda7e43e161b31a3343d21a60db63e5ef664b1f1f2935fb
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: A2E0D832244145ABD3212A59C810F6677A9DBD07A1F9A0429E20DDB150DBF0DC44C7D8

Function 01A44164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89ab234c5c9c77a25c8b05ae04d76971887fedd77ed4c1e42521a7d156bcbe3
Instruction ID: f319ea142260303e0f90e3e588cebdcca20903494abf0d8898c03eb4c83aa3c7
Opcode Fuzzy Hash: b89ab234c5c9c77a25c8b05ae04d76971887fedd77ed4c1e42521a7d156bcbe3
Instruction Fuzzy Hash: 10F09271A26B918FE7B2D72CE684F5677E4AF98630F1A09A5D40587912C724EC80C650

Function 01A1678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: ceb838738d7b33c896ce616c723c728754f4187dc838c99db075df37880e1bd1
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: BCE0DF32A01110BBEB21AB99CD05F9ABEACDB90EA0F050054B609E70E4E5B0EE04C6D0

Function 01A408C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: bce5fa03d3a8db53f6b8138ad598857bfac486937c41e9050d2e70f599639ea9
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: EAE09B316403548BDB268B3DC340AD3B7E8DFD5760F158069EE0547612C231F842D6D0

Function 019725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d3877477ef41ac7d77b134c4fedb2cb5106369c0623ae102b60fddaee979e4f
Instruction ID: 438166b113e183f8efb301df8e0e20ee1468b0c2ad553964b58e590076680648
Opcode Fuzzy Hash: 5d3877477ef41ac7d77b134c4fedb2cb5106369c0623ae102b60fddaee979e4f
Instruction Fuzzy Hash: 19E092721109549BC722BF29DD01F8A779AEFA0760F014525F119571A0CA30AD10C784

Function 01A2A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: d75071042eb575dafb6d845849950ab1d1b37b6a464f16d9630cbdafbbd42245
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: ABE0ED31011661DFEB366B2AD948B52BAE5AF90711F148829E19A168B1C775D881CA40

Function 019F4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 01f050086522e08821e75038a8687240fa6f86b474d9b9c7dbf7b99b8ab56642
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: B5E0C2343003059FE715CF19C040B637BBABFD5A11F28C078AA488F205EB32E842CB40

Function 019ACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c64258209c65742f2f9d1f9a1080d5e26a92657b2b620242d409b7ebf8df31
Instruction ID: fec88ea25622dda512ade36ff2a9b9401d13b35e352f1b27276a9a1975a4005c
Opcode Fuzzy Hash: 95c64258209c65742f2f9d1f9a1080d5e26a92657b2b620242d409b7ebf8df31
Instruction Fuzzy Hash: 4BD02B324850217ECF76F128BC14FB33A9D9B80620F064870F10D96021D534DC8582C4

Function 0196823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 05ca9018219fa3d52d2ef065f9d31205bb33c7cfa0cec0e75c1a11a39750dc26
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: A0E0CD31450720DFDB322F15DD10F5176A9FF94F91F104C29E08D150648770AC81CB54

Function 01972050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158e8fcae2282b281bac5536f1191a5b11434ace26574955ace6d1692177e45a
Instruction ID: 7038f0275dbdef6565b655c23d066d430f877bc6831d8329febc58dcd68c0145
Opcode Fuzzy Hash: 158e8fcae2282b281bac5536f1191a5b11434ace26574955ace6d1692177e45a
Instruction Fuzzy Hash: 39E0C2322104506BC311FF5DED00F4A739EEFE4660F004122F158872E0CA60ED01C794

Function 019A8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 2223ed9a4e7bfe520bc1158999e48108539d0bf2f37d321876512adb9c471776
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: C2E08633111A1487C728EE58D525B7277A8EF45721F09463EA61747780C534E948C7D4

Function 019C6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 9424f4d5f144d0d2e62c245336b2bfe8e058983e2d4eb6f944fd22f65a08c37d
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: DCD05E36511A50AFC3329F1BEA00C13BBF9FBC4E11705062EA54A83A20C671E806CBA0

Function 019AE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 8560d89c011db4220f7e04cbf266c428abcc13ce843a2e07a3a6ada4970c4c2e
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 4ED0A932A14620ABDB32AA1CFC04FC333E9BB88B21F060459B008C7250C360EC81CA84

Function 019EE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 6e1220f9e3bfb1ce47e4e664a08e96924bcc6cb67c9befa13f79481eed8dccfc
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 3BE0EC75A506849BDF17EF59D644F5ABBF9BB94B40F150054A50C5B661C624E900CB40

Function 0196A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b43ca8685e406d5879d561e6263c848443000f3a91f9d321cc5c2db41c7e0b32
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 06D0223222603093CB2866556800F63790DABC1AD4F0A002C780EA3800C4048C42C2F0

Function 019AA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 1394e5cff071bebd0c9177a9ce57045ca991f13c050e964ebdc06dd48a1c6bb4
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 9DD012771E054DBBCB11AF66DC01F957BA9E7A4BA0F444020B908875A0C63AE950D584

Function 019ACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e342c310f8563ff31537e3a59a07ed49e199744521ff2adefc82b291b63a34c
Instruction ID: 5f1fe09dbe02f19f87b679d8be3cbc2d652ab5bf234499a7359c6ec85751d29e
Opcode Fuzzy Hash: 3e342c310f8563ff31537e3a59a07ed49e199744521ff2adefc82b291b63a34c
Instruction Fuzzy Hash: BDD0A739515401CBDF1BDF48C528D3E36B4FB10A41B80006CE70855120F324DC01C640

Function 019802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: ff970529f8acc682f13e5d09298b0029ff8f148065cd8ba1488bb804e59416f1
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 93D0C935712E80CFD71BCB1CC5A4F1533A8BB44B85F854890F405CBB62D67CD944CA00

Function 019AC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 3738947b8e7a48be8a42b5abdf37e76557e4aa45d7eb8c4645cf4230289d8fd7
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 9EC012322A0648AFC712AA99CD01F027BA9EBA8B40F000021F6088B670C631E920EA84

Function 01990310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 877cc927a8a329dbb2179a7166f93c5a2f11c32cf7c6914c05d63b305803a459
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 3BD01236100249EFCB01DF45C890D9A772EFBD8710F548019FD19076108A31ED62DA50

Function 01970750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: c47500ef7c6eabff617f7780d6300310e27d895b4cbd776735a974f0061a219c
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 1CC04C757415418FCF15DF1AD294F5577E4F744B41F150890E849CB722E724F901CA11

Function 019B4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a1663122e51471450f0877b9f7c8c54be2e3dba8a844d6474d09703237463e
Instruction ID: 95cb35298ceecb014cdd9338552a4696a2e44fead96e3383f85ebc9899e88fff
Opcode Fuzzy Hash: a3a1663122e51471450f0877b9f7c8c54be2e3dba8a844d6474d09703237463e
Instruction Fuzzy Hash: 08900231605900129140715D48885468049A7E0701B55C015E0864554CCA158A565362

Function 019B4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341a50457c6cc3545ede8ec2bf4b73bebe80afb6ccf416dedd5f8f8cec0db43a
Instruction ID: 63595d7cd78100c7b308decb5feb4dd67cb73fc272210f196e99a5b392148aec
Opcode Fuzzy Hash: 341a50457c6cc3545ede8ec2bf4b73bebe80afb6ccf416dedd5f8f8cec0db43a
Instruction Fuzzy Hash: AE900261601600424140715D4808406A049A7E1701395C119A0994560CC6198955936A

Function 019B2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca418cfcf3c29a8339642d8cca4ccdc2798923d3ef4587e34d4f80c711b435cc
Instruction ID: cee0129f1b3bb350c7036a3c4c6510428309dabf6768d579bb3440e3ada2ea69
Opcode Fuzzy Hash: ca418cfcf3c29a8339642d8cca4ccdc2798923d3ef4587e34d4f80c711b435cc
Instruction Fuzzy Hash: CB90023120150802D104715D4808686404997D0701F55C015A6464655ED66689917232

Function 019B2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401fc4c4b80e2afbc64d50429308d211b5df3699b3b28facf617f4e3e848f1b1
Instruction ID: eff29237300c237908f1fb27dffb3e896397e68d23010d5e7c1e759ba56101cc
Opcode Fuzzy Hash: 401fc4c4b80e2afbc64d50429308d211b5df3699b3b28facf617f4e3e848f1b1
Instruction Fuzzy Hash: 1A90023160550802D150715D4418746404997D0701F55C015A0464654DC7568B5577A2

Function 019B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6078a81e48d0a9c10668b9903883b17f79781e21d2d2716bfa451ba9fadf13
Instruction ID: 97bc19290bf56248abdf55632e99e561b9ce35ded7d9b982bc9139883f9165f5
Opcode Fuzzy Hash: 1f6078a81e48d0a9c10668b9903883b17f79781e21d2d2716bfa451ba9fadf13
Instruction Fuzzy Hash: 9590023120150802D180715D440864A404997D1701F95C019A0465654DCA168B5977A2

Function 019B2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11095d35b32d3171387a9081a4a10e66ca75171d92c9b1e6301e6b3bb795482
Instruction ID: c88ad340832de915e33e977c27835fce7bbb76671681200a132eb43c5a8e32b2
Opcode Fuzzy Hash: a11095d35b32d3171387a9081a4a10e66ca75171d92c9b1e6301e6b3bb795482
Instruction Fuzzy Hash: 4290023120554842D140715D4408A46405997D0705F55C015A04A4694DD6268E55B762

Function 019B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906aa0c60605b7f294e4f43b2debf10f0ef12686f762c9ca25ec00e8d9a4c629
Instruction ID: 6b07191000d28be99729a8c7e44288fdc0ca5e96bef14866b41de2a9b24c40ae
Opcode Fuzzy Hash: 906aa0c60605b7f294e4f43b2debf10f0ef12686f762c9ca25ec00e8d9a4c629
Instruction Fuzzy Hash: 619002A1201640924500B25D8408B0A854997E0601B55C01AE1494560CC52689519236

Function 019B2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c91a52b616b8bb9e35744ccca919d3a770b0c94ac256cdfea2379132fd4d42
Instruction ID: f78ef36688d76e58862339da5c84c517e598cbc4fea87ff9d09b94dd6c8a097d
Opcode Fuzzy Hash: 09c91a52b616b8bb9e35744ccca919d3a770b0c94ac256cdfea2379132fd4d42
Instruction Fuzzy Hash: 27900435311500030105F55D070C50740CFD7D5751355C035F1455550CD733CD715333

Function 019B2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e6628b8af5bffe48e20083476c1afd5b40c3538393aa8cf6b838dde889b937
Instruction ID: 8453c6362d0f14e53577b88ed7daae9dc69222e0b2b44ca924321c37f7e44a33
Opcode Fuzzy Hash: f4e6628b8af5bffe48e20083476c1afd5b40c3538393aa8cf6b838dde889b937
Instruction Fuzzy Hash: C3900225221500020145B55D060850B4489A7D6751395C019F1856590CC62289655322

Function 019B2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c83549c4898d761ee7b1a0046a31b28e4ef3fa6a95bf5ef03aff9141041cef
Instruction ID: 9ae26954dc0fdbe7d00d347ca592591ec077c4bb6aa89be577203f72783d2d5a
Opcode Fuzzy Hash: e6c83549c4898d761ee7b1a0046a31b28e4ef3fa6a95bf5ef03aff9141041cef
Instruction Fuzzy Hash: DE90023124150402D141715D4408606404DA7D0641F95C016A0864554EC6568B56AB62

Function 019B2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6ae8f83d8f34427aa9e7ca8e7aed20ce4e8f14b884bd3b455f6b2cadbe6018
Instruction ID: d983a1b8d028dd6576b4093e65cd7d0ce0c38c73a51a0c3ea170c5c0e9510d80
Opcode Fuzzy Hash: eb6ae8f83d8f34427aa9e7ca8e7aed20ce4e8f14b884bd3b455f6b2cadbe6018
Instruction Fuzzy Hash: C3900221242541525545B15D4408507804AA7E0641795C016A1854950CC5279956D722

Function 019B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1fd3886caaae09ebe244d64f8edd069345970f60807148ac660fe30226f3f8
Instruction ID: b65bf95bb8d0085ea9674ff729a4ec5c1109426aaab69ed7337f488a08dc2a40
Opcode Fuzzy Hash: bf1fd3886caaae09ebe244d64f8edd069345970f60807148ac660fe30226f3f8
Instruction Fuzzy Hash: 2190022921350002D180715D540C60A404997D1602F95D419A0455558CC91689695322

Function 019B2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41494b9095b4c0a50ea9fb3ad72fcedd24bc437622d0f840d4d4180701bb25c
Instruction ID: 8aefeb364be236be2e9e9de819e92a74a9c7d9f3c340dff2f7b934a5c519913b
Opcode Fuzzy Hash: e41494b9095b4c0a50ea9fb3ad72fcedd24bc437622d0f840d4d4180701bb25c
Instruction Fuzzy Hash: 2390022120554442D100755D540CA06404997D0605F55D015A14A4595DC6368951A232

Function 019B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b586b8a951c6bbd0968e9c17ddea796b69f7706a815cc7a9ffe517f2198ab558
Instruction ID: 9503c40cfe47010aad1b81da388e2403d712609fabfe08754fb59236691a763d
Opcode Fuzzy Hash: b586b8a951c6bbd0968e9c17ddea796b69f7706a815cc7a9ffe517f2198ab558
Instruction Fuzzy Hash: 8490022130150003D140715D541C6068049E7E1701F55D015E0854554CD91689565323

Function 019B2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def3fe7b987e7ef4fcf40c35afd17032da265ed96788e7d5888aebf34a3fe433
Instruction ID: cabc04651fc24560531abf1ab511d2edd8ea5fb42d1159100516b91b93acad88
Opcode Fuzzy Hash: def3fe7b987e7ef4fcf40c35afd17032da265ed96788e7d5888aebf34a3fe433
Instruction Fuzzy Hash: F290023120150402D100759D540C646404997E0701F55D015A5464555EC66689916232

Function 019B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1350e27fccdb3df4d2b171ba901dab06080122d5cb811a6fdc2d3418613f0ef4
Instruction ID: 411b39f734011057f29eebffd64347d4f2261f56013dd6e9a89ee096a2a7d8ec
Opcode Fuzzy Hash: 1350e27fccdb3df4d2b171ba901dab06080122d5cb811a6fdc2d3418613f0ef4
Instruction Fuzzy Hash: D690022160550402D140715D541C706405997D0601F55D015A0464554DC65A8B5567A2

Function 019B2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd8dc81200c3903cf27c772b3b2322c95d16fc69cc9838bbb89dc99dcc4c060
Instruction ID: 8f2739d2b07f3d7e595066c13fd1b7f872f1a7730375d57ce2bc204bf8e30c71
Opcode Fuzzy Hash: abd8dc81200c3903cf27c772b3b2322c95d16fc69cc9838bbb89dc99dcc4c060
Instruction Fuzzy Hash: 7490043130150403D100715D550C707404DD7D0701F55D415F0C7455CDD757CD517333

Function 019B2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd7e6daaa6463e1624b0f1e4e5d244d0da98338132e1a841f8fb6b4d2854bbe
Instruction ID: 557f0d1f7d3d5640de78d1ece46e4c5b672788eeed3415c5e4bfb0629b843386
Opcode Fuzzy Hash: 4cd7e6daaa6463e1624b0f1e4e5d244d0da98338132e1a841f8fb6b4d2854bbe
Instruction Fuzzy Hash: E090023120150842D100715D4408B46404997E0701F55C01AA0564654DC616C9517622

Function 019B2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a8208b497d52248e708af636b2c68bd6359ae6317ee256a9341c74ee8ef3c0
Instruction ID: 367421d6d7184c343c040de7353f481dcc730c63b52f18933fe1b512b96e0791
Opcode Fuzzy Hash: a8a8208b497d52248e708af636b2c68bd6359ae6317ee256a9341c74ee8ef3c0
Instruction Fuzzy Hash: DE90023120190402D100715D481870B404997D0702F55C015A15A4555DC62689516672

Function 019B2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5ad30f220bca3d152cc9682d8778dee21067abb73dc9c6791705628a2629b8
Instruction ID: 165cd7c46f07416fcd9577525467ce7ed16b58bd9fe3b13a0583f68472a9d4b9
Opcode Fuzzy Hash: 8c5ad30f220bca3d152cc9682d8778dee21067abb73dc9c6791705628a2629b8
Instruction Fuzzy Hash: 3C900221601500424140716D88489068049BBE1611755C125A0DD8550DC55A89655766

Function 019B2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872e72e1304018ecf05201c9538f756db8a9fde9ae74a4361ec394b94aa0af41
Instruction ID: 785891e2e9bb5231b5293245b1943848900839201948ec218a17bf22741072a2
Opcode Fuzzy Hash: 872e72e1304018ecf05201c9538f756db8a9fde9ae74a4361ec394b94aa0af41
Instruction Fuzzy Hash: 8190023120190402D100715D480C747404997D0702F55C015A55A4555EC666C9916632

Function 019B2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17394b965e45239545c88efdc29d364c1c14d725f145c331716152fe990f6ebc
Instruction ID: db93809bfe5635a2b533a338371ea48971a4ff29ae768248f8798f15bf78ac9b
Opcode Fuzzy Hash: 17394b965e45239545c88efdc29d364c1c14d725f145c331716152fe990f6ebc
Instruction Fuzzy Hash: 21900221211D0042D200756D4C18B07404997D0703F55C119A0594554CC91689615622

Function 019B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0539db6f7b36662747ddba8566cff143cb0c89e027ec7d747a4381688e7d1b
Instruction ID: b9505a9100ea674b2ce718183ac572f9952739c775e003678870d385c053c9d1
Opcode Fuzzy Hash: ff0539db6f7b36662747ddba8566cff143cb0c89e027ec7d747a4381688e7d1b
Instruction Fuzzy Hash: FD90026134150442D100715D4418B064049D7E1701F55C019E14A4554DC61ACD526227

Function 019B2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8937d44765e3deeda8d2fd39beb7df1dbbd6fbe09477a2aefe253a57d3961774
Instruction ID: 472a3d628929d31f82b7c1adaff5950d67f1044e91e5ee62a003c6003fbdb165
Opcode Fuzzy Hash: 8937d44765e3deeda8d2fd39beb7df1dbbd6fbe09477a2aefe253a57d3961774
Instruction Fuzzy Hash: 6490026121150042D104715D4408706408997E1601F55C016A2594554CC52A8D615226

Function 019B2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1ca738d3ddadb475dd259494ebb5447c35ae9008329e12c175f61ca0351642
Instruction ID: 1e61e3e1f58f7a601627ea3e524b4598c4ffeae93fe9a0c039914e4ad507eeb9
Opcode Fuzzy Hash: 5b1ca738d3ddadb475dd259494ebb5447c35ae9008329e12c175f61ca0351642
Instruction Fuzzy Hash: 2990022160150502D101715D4408616404E97D0641F95C026A1464555ECA268A92A232

Function 019B2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e1ac410ad8c8833f8aab0a661aa8d46d34367c17877ec008c7824817c08b0c
Instruction ID: 890cb72de919d3121e0d463d2f291cef7cfe8a3e25ef599470d5bc152b84bca2
Opcode Fuzzy Hash: 98e1ac410ad8c8833f8aab0a661aa8d46d34367c17877ec008c7824817c08b0c
Instruction Fuzzy Hash: 4B90027120150402D140715D4408746404997D0701F55C015A54A4554EC65A8ED56766

Function 019B2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a12fdaa2c124a2acfc85e5f29da7a9ef21a5982dae39bfdf9026fc605855653
Instruction ID: abb79cf1ae1c3cff8aa389fa5d0ba9d1a266bc90270e4fcae82eabfee87760bd
Opcode Fuzzy Hash: 0a12fdaa2c124a2acfc85e5f29da7a9ef21a5982dae39bfdf9026fc605855653
Instruction Fuzzy Hash: DF90026120190403D140755D4808607404997D0702F55C015A24A4555ECA2A8D516236

Function 019B2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c1a0a030f6425ef38704438285438a228d3d5fff422db85eeb18dc68257927
Instruction ID: edd540067541c99407af4543fc6e46f37abacbe0ac71431754f62713ecb9a6e6
Opcode Fuzzy Hash: 87c1a0a030f6425ef38704438285438a228d3d5fff422db85eeb18dc68257927
Instruction Fuzzy Hash: 6090022130150402D102715D4418606404DD7D1745F95C016E1864555DC6268A53A233

Function 019B3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ed0cb35bde3770ef69b2bb396de03e5b7617549f4c35bbac50e50d29c2101f
Instruction ID: 9c02f12f4d2245d417e7a0e6074ec4fe5a89e4a4719f67ee096a3a80b9910057
Opcode Fuzzy Hash: c7ed0cb35bde3770ef69b2bb396de03e5b7617549f4c35bbac50e50d29c2101f
Instruction Fuzzy Hash: B190022124150802D140715D8418707404AD7D0A01F55C015A0464554DC6178A6567B2

Function 019B3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ec8e810ab0e44b390c33fc2134ad591e3d0211f9a061c487ec8587ce62a1da
Instruction ID: bcdb558a79ed4b87f4fee23f8193ace5028fd14e52e987bbcce80bb4bfec543f
Opcode Fuzzy Hash: f7ec8e810ab0e44b390c33fc2134ad591e3d0211f9a061c487ec8587ce62a1da
Instruction Fuzzy Hash: 0B90022120194442D140725D4808B0F814997E1602F95C01DA4596554CC91689555722

Function 019B39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f97ccc2b8f0fab780f84bf241b82684d0382e326d4f8ae748c73e76a9035a8
Instruction ID: 0d14b9435936b1e97b15bb1cdb07e5db07831db8a9f435c408638d7538927bc4
Opcode Fuzzy Hash: 86f97ccc2b8f0fab780f84bf241b82684d0382e326d4f8ae748c73e76a9035a8
Instruction Fuzzy Hash: 1190022124555102D150715D44086168049B7E0601F55C025A0C54594DC55689556322

Function 019B3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581f3d87adb1bccc7dc15c554ce112fe37a42a28843f6d7445e5a9679152de31
Instruction ID: f61ba5d5df7345d75d988f3db3e67b27b05d1fd36ca11f7b83232ac5200ecc44
Opcode Fuzzy Hash: 581f3d87adb1bccc7dc15c554ce112fe37a42a28843f6d7445e5a9679152de31
Instruction Fuzzy Hash: 62900231202501429540725D5808A4E814997E1702B95D419A0455554CC91589615322

Function 019B3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ad107431d60190d90fe374c7b208249416d3c258eec172dd5a7950c8d34566
Instruction ID: 8d5a6551488fb8bb7b478629a99d9afd1db26b332399cb472decbd0f5394846c
Opcode Fuzzy Hash: e3ad107431d60190d90fe374c7b208249416d3c258eec172dd5a7950c8d34566
Instruction Fuzzy Hash: 7090023520150402D510715D5808646408A97D0701F55D415A0864558DC65589A1A222

Function 019B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: ba91332b74d1f97dde10c0f07bffbb558f37e935c96f2dcc56638f93796da4b6
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 019B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019B293C
___swprintf_l.LIBCMT ref: 019B295E
___swprintf_l.LIBCMT ref: 019B29A3
___swprintf_l.LIBCMT ref: 019EA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 019EA527
ffff:, xrefs: 019EA504
:%u.%u.%u.%u, xrefs: 019EA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 019EA54E

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7ef88d8d6328fc688e4a770af82d33ab95da7d84fa7524523eb96adf0baf012a
Instruction ID: a9bac4bc08cc7551c0ecca4c0a9a6ebfe81ad3a0913de66d1efb24fdce823949
Opcode Fuzzy Hash: 7ef88d8d6328fc688e4a770af82d33ab95da7d84fa7524523eb96adf0baf012a
Instruction Fuzzy Hash: 1351D4B5A00116BBDB21DB9CCAD09BEFBB8FB48641B148529E4ADD7641D734EE0087E1

Function 01A22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A224A6
___swprintf_l.LIBCMT ref: 01A224E2
___swprintf_l.LIBCMT ref: 01A2257D
___swprintf_l.LIBCMT ref: 01A225A3
___swprintf_l.LIBCMT ref: 01A225C8
___swprintf_l.LIBCMT ref: 01A22608

Strings

::%hs%u.%u.%u.%u, xrefs: 01A2249E
ffff:, xrefs: 01A2247D, 01A2249D
:%u.%u.%u.%u, xrefs: 01A225FF
::ffff:0:%u.%u.%u.%u, xrefs: 01A224DA

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ddf53cff7231ebc48ac3fc01d69af6fe1c76a5cc126bd97efbeb5b28538927c3
Instruction ID: d7d89232a8899b60d3574827bb0db0c1c407012d94a2ff7ba386bb13eb753e45
Opcode Fuzzy Hash: ddf53cff7231ebc48ac3fc01d69af6fe1c76a5cc126bd97efbeb5b28538927c3
Instruction Fuzzy Hash: FC51F675A00665AFDB31DFADC890A7EB7F8EF44200B04C46AE4DAC7642D674DA40C760

Function 019A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019E46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019E4655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019E4725
ExecuteOptions, xrefs: 019E46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019E4742
Execute=1, xrefs: 019E4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 019E4787

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 15ebf0b951b98adc4a295015faf5c56babd1ae06721363278058184ca2a3503d
Instruction ID: 9c9f8979c8e7ade625de5133dc3bacd1041f096cecc01bb2e61c6e184ae0fed5
Opcode Fuzzy Hash: 15ebf0b951b98adc4a295015faf5c56babd1ae06721363278058184ca2a3503d
Instruction Fuzzy Hash: AC513A31A002097AEF25EBE8DC86FE977B8AF54304F4400A9D60DA7191D7729A498F91

Function 01A46940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: c17e67e4197ce1f6de5a672161e0bc4d4ebe8f77d883b965947ae16beca3a752
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: E0021571508382AFD315CF68C990A6BBBF5EFC9700F04892DF9898B264DB71E945CB52

Function 019BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019BB6BF

Strings

-, xrefs: 019BB650
0, xrefs: 019BB695
+, xrefs: 019BB65A
0, xrefs: 019BB66F

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 700c65215880cbaf4961815436c19e070f2e83388135442424ba0706eebbe889
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: DE81F370E012499EEF25CE6CCAD0BFEBBB5AF45321F18451AD85BA76C1C7308840CB51

Function 01A220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A2214F
___swprintf_l.LIBCMT ref: 01A22172

Strings

]:%u, xrefs: 01A22169
[, xrefs: 01A2212B
%%%u, xrefs: 01A22146

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: f941e30fa4c6f4049c45dcb448eea0c379e94e0bb58c9889a3351d64555f7638
Instruction ID: 59f996443fb48328ff6a299de756a91f59b46eca36d03563ad46099e3c2316ed
Opcode Fuzzy Hash: f941e30fa4c6f4049c45dcb448eea0c379e94e0bb58c9889a3351d64555f7638
Instruction Fuzzy Hash: 1521357AE00229ABDB11DF7DDD40EEE7BF8EF54654F54011AE949D3201E730DA018BA1

Function 0199F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019E02BD
RTL: Re-Waiting, xrefs: 019E031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019E02E7

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 435787ab41d36f3f36cd563f9e3ba1d0e26cf47a8b9262dd49124c303e3a2659
Instruction ID: cf9cd34de0daaae21a846712cfb4abd5fa093fac802e933c475f8ae22c1e7873
Opcode Fuzzy Hash: 435787ab41d36f3f36cd563f9e3ba1d0e26cf47a8b9262dd49124c303e3a2659
Instruction Fuzzy Hash: BAE1AE316047419FDB26CF2CC888B6ABBE4BB84314F180A6DF5A9CB2E1D774D945CB52

Function 019ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019E7B7F
RTL: Re-Waiting, xrefs: 019E7BAC
RTL: Resource at %p, xrefs: 019E7B8E

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 7d55766b14266714b13f6fd27873e61b2ced18ecb2e9aff168f187c2986ac599
Instruction ID: 17ff16928071887a22fa3f8212535fc8c6ce908f4d282293180c3d6fb5c0bc48
Opcode Fuzzy Hash: 7d55766b14266714b13f6fd27873e61b2ced18ecb2e9aff168f187c2986ac599
Instruction Fuzzy Hash: 8B41E3353007029FDB25DE29C840B6AB7E9EF98711F540A1DEA5E97680DB31E8098BD1

Function 019AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019E728C

Strings

RTL: Re-Waiting, xrefs: 019E72C1
RTL: Resource at %p, xrefs: 019E72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019E7294

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a09d4f90b644f61b41404ca1899d8a98875fd57cb25fc6d2356a6b90f686aa70
Instruction ID: 978789d139f9e707431070dbcf2fdb57cc5946bd1f0d63b09ba0f0d5f2833b52
Opcode Fuzzy Hash: a09d4f90b644f61b41404ca1899d8a98875fd57cb25fc6d2356a6b90f686aa70
Instruction Fuzzy Hash: 8241D231700206ABD726DE69CC41F66BBE5FB94B11F100A19F95EAB340DB21F846C7D2

Function 01A22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A2238D
___swprintf_l.LIBCMT ref: 01A223B3

Strings

]:%u, xrefs: 01A223AA
%%%u, xrefs: 01A22384

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b87ea2eb72fe7dcbcb0d03745de956c769ec1094570c5a0e32295ed336f59181
Instruction ID: d4ed2748c86276862b4f9e66cadaca1f6cc480807d6ee2e70180a51e8d7bacdc
Opcode Fuzzy Hash: b87ea2eb72fe7dcbcb0d03745de956c769ec1094570c5a0e32295ed336f59181
Instruction Fuzzy Hash: 58317576A002299FDB20DF2DCD40BEEB7F8EF54610F44455AE949E3240EB30AA459FA1

Function 019B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019B7E8B

Strings

+, xrefs: 019B7DE8
-, xrefs: 019B7DDD

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 05d92f948f515153ca9c073e16b7125e19b4a737b37c554af87163f2da5e3de7
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 4191A571E002069ADB28DFADCAC0AFEBBA9AFC4761F14471AE95DE72D0D73099408715

Function 01979126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01979175
$, xrefs: 01979191

Memory Dump Source

Source File: 00000003.00000002.1952342139.0000000001940000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 84f61255a1f771d228ab551c3a74790650703a3c227fefc7d6149673319262ba
Instruction ID: 75535cb34ecba7f4dc80e0259bd9ec57fe6e982ca89cffd667b6d93ba90f6da6
Opcode Fuzzy Hash: 84f61255a1f771d228ab551c3a74790650703a3c227fefc7d6149673319262ba
Instruction Fuzzy Hash: 6E810A75D002699BDB35DB54CC45BEAB6B8BF48714F0041EAEA1DB7250E7309E85CFA0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wco4vy5.omd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtvw3g1f.4rr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryfqyz2j.vz3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxmv10ti.b1j.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.19987.15855.exe

Function 07E7596F Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 07E75970 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 019F4DC8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON